Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bank swift.exe

Overview

General Information

Sample name:Bank swift.exe
Analysis ID:1540335
MD5:a9a37483725640f15287ebad5eddfabf
SHA1:9f254db4527381e6496df48b5bf1c3f022cb704b
SHA256:7485c7b439341ddefbc3a27c36fd79acd5bad67aed05e9ccdaf7689a6d71ab23
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • Bank swift.exe (PID: 5556 cmdline: "C:\Users\user\Desktop\Bank swift.exe" MD5: A9A37483725640F15287EBAD5EDDFABF)
    • Bank swift.exe (PID: 5712 cmdline: "C:\Users\user\Desktop\Bank swift.exe" MD5: A9A37483725640F15287EBAD5EDDFABF)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cscript.exe (PID: 6340 cmdline: "C:\Windows\SysWOW64\cscript.exe" MD5: CB601B41D4C8074BE8A84AED564A94DC)
          • cmd.exe (PID: 6556 cmdline: /c del "C:\Users\user\Desktop\Bank swift.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
{"C2 list": ["www.ehills.shop/m25s/"], "decoy": ["araghospitality.net", "cleans.xyz", "olnacasinotcs14.top", "pringhillinfos.net", "erkakasrumah.online", "orean-course-289113002.zone", "yeloma-treatment-82106.bond", "76iw543gw.autos", "nline-shopping-56055.bond", "enetik.xyz", "ax-th-6011838.fyi", "itygatehousing.app", "23zy998jk.bond", "pslag-hal-2.online", "uykoii.shop", "9supjub3p.buzz", "tmgl.bond", "actus-catering-creations.net", "ntercashspace24.homes", "ierra777.vip", "ental-health-69511.bond", "newordforpurpose.info", "roppsple.shop", "edant.ltd", "imitake.xyz", "ransportationmwmptpro.top", "roncrow.biz", "armanshop.xyz", "ealthy-life-products.online", "raphic-design-degree-33148.bond", "ildcraft.xyz", "16-lawn-care.today", "7732.club", "vitor.live", "uy-smart-tv-nl.today", "sone.best", "ellcli.net", "52006.club", "abelzshop.online", "cctofi.cpa", "alisu.xyz", "roformance.shop", "cskuvq.shop", "anforexuytin.cfd", "raceg.cyou", "rimevest-global.info", "ealthcare-trends-60670.bond", "oo.bio", "itodemo.click", "ottah.studio", "teamgame-mod.net", "39474.club", "yai11.top", "onnorbell.design", "dt5r.shop", "6874.club", "wistlnc.net", "ntermoney24cad.homes", "attoomasteracademy.online", "3win4.cyou", "xewaov.xyz", "6uzh.digital", "ransportationwlsltpro.top", "oches-a-credito-es.bond"]}
SourceRuleDescriptionAuthorStrings
00000004.00000002.4516511425.000000000F271000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_772cc62dunknownunknown
  • 0xae2:$a2: pass
  • 0xae8:$a3: email
  • 0xaef:$a4: login
  • 0xaf6:$a5: signin
  • 0xb07:$a6: persistent
  • 0xcda:$r1: C:\Users\user\AppData\Roaming\155P2OVU\155log.ini
00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries
      SourceRuleDescriptionAuthorStrings
      3.2.Bank swift.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.Bank swift.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.Bank swift.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          3.2.Bank swift.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.Bank swift.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18809:$sqlite3step: 68 34 1C 7B E1
          • 0x1891c:$sqlite3step: 68 34 1C 7B E1
          • 0x18838:$sqlite3text: 68 38 2A 90 C5
          • 0x1895d:$sqlite3text: 68 38 2A 90 C5
          • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries
          No Sigma rule has matched
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.ehills.shop/m25s/"], "decoy": ["araghospitality.net", "cleans.xyz", "olnacasinotcs14.top", "pringhillinfos.net", "erkakasrumah.online", "orean-course-289113002.zone", "yeloma-treatment-82106.bond", "76iw543gw.autos", "nline-shopping-56055.bond", "enetik.xyz", "ax-th-6011838.fyi", "itygatehousing.app", "23zy998jk.bond", "pslag-hal-2.online", "uykoii.shop", "9supjub3p.buzz", "tmgl.bond", "actus-catering-creations.net", "ntercashspace24.homes", "ierra777.vip", "ental-health-69511.bond", "newordforpurpose.info", "roppsple.shop", "edant.ltd", "imitake.xyz", "ransportationmwmptpro.top", "roncrow.biz", "armanshop.xyz", "ealthy-life-products.online", "raphic-design-degree-33148.bond", "ildcraft.xyz", "16-lawn-care.today", "7732.club", "vitor.live", "uy-smart-tv-nl.today", "sone.best", "ellcli.net", "52006.club", "abelzshop.online", "cctofi.cpa", "alisu.xyz", "roformance.shop", "cskuvq.shop", "anforexuytin.cfd", "raceg.cyou", "rimevest-global.info", "ealthcare-trends-60670.bond", "oo.bio", "itodemo.click", "ottah.studio", "teamgame-mod.net", "39474.club", "yai11.top", "onnorbell.design", "dt5r.shop", "6874.club", "wistlnc.net", "ntermoney24cad.homes", "attoomasteracademy.online", "3win4.cyou", "xewaov.xyz", "6uzh.digital", "ransportationwlsltpro.top", "oches-a-credito-es.bond"]}
          Source: Bank swift.exeReversingLabs: Detection: 47%
          Source: Yara matchFile source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: Bank swift.exeJoe Sandbox ML: detected
          Source: Bank swift.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Bank swift.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: cscript.pdbUGP source: Bank swift.exe, 00000003.00000002.2110051359.00000000015B0000.00000040.10000000.00040000.00000000.sdmp, Bank swift.exe, 00000003.00000002.2109559935.0000000001198000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ThGx.pdb source: Bank swift.exe
          Source: Binary string: ThGx.pdbSHA256 source: Bank swift.exe
          Source: Binary string: wntdll.pdbUGP source: Bank swift.exe, 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2108905844.000000000515F000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2112308434.000000000530E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Bank swift.exe, Bank swift.exe, 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000003.2108905844.000000000515F000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2112308434.000000000530E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cscript.pdb source: Bank swift.exe, 00000003.00000002.2110051359.00000000015B0000.00000040.10000000.00040000.00000000.sdmp, Bank swift.exe, 00000003.00000002.2109559935.0000000001198000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_00792674 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,5_2_00792674
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 4x nop then pop ebx3_2_00407B1B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx5_2_02FD7B1B

          Networking

          barindex
          Source: Malware configuration extractorURLs: www.ehills.shop/m25s/
          Source: unknownDNS traffic detected: query: www.ntermoney24cad.homes replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.newordforpurpose.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.teamgame-mod.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.39474.club replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ransportationwlsltpro.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.itygatehousing.app replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.tmgl.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.7732.club replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.erkakasrumah.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.araghospitality.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ehills.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ntermoney24cad.homes replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.newordforpurpose.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.teamgame-mod.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.39474.club replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ransportationwlsltpro.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.itygatehousing.app replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.tmgl.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.7732.club replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.erkakasrumah.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.araghospitality.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ehills.shop replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: www.tmgl.bond
          Source: global trafficDNS traffic detected: DNS query: www.newordforpurpose.info
          Source: global trafficDNS traffic detected: DNS query: www.39474.club
          Source: global trafficDNS traffic detected: DNS query: www.itygatehousing.app
          Source: global trafficDNS traffic detected: DNS query: www.erkakasrumah.online
          Source: global trafficDNS traffic detected: DNS query: www.7732.club
          Source: global trafficDNS traffic detected: DNS query: www.ehills.shop
          Source: global trafficDNS traffic detected: DNS query: www.teamgame-mod.net
          Source: global trafficDNS traffic detected: DNS query: www.araghospitality.net
          Source: global trafficDNS traffic detected: DNS query: www.ntermoney24cad.homes
          Source: global trafficDNS traffic detected: DNS query: www.ransportationwlsltpro.top
          Source: explorer.exe, 00000004.00000002.4510303360.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510303360.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000004.00000002.4501873324.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2049993282.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000004.00000002.4510303360.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510303360.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000004.00000002.4510303360.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510303360.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000004.00000002.4510303360.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510303360.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000004.00000002.4510303360.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000004.00000000.2065155899.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4508338906.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2065185621.0000000008890000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.39474.club
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.39474.club/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.39474.club/m25s/www.xewaov.xyz
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.39474.clubReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.52006.club
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.52006.club/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.52006.club/m25s/A
          Source: explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.52006.club/m25s/j
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.52006.clubReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.7732.club
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.7732.club/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.7732.club/m25s/www.ehills.shop
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.7732.clubReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.araghospitality.net
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.araghospitality.net/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.araghospitality.net/m25s/www.ntermoney24cad.homes
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.araghospitality.netReferer:
          Source: explorer.exe, 00000004.00000000.2069825453.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ax-th-6011838.fyi
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ax-th-6011838.fyi/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ax-th-6011838.fyi/m25s/www.ottah.studio
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ax-th-6011838.fyiReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shop
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shop/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shop/m25s/www.teamgame-mod.net
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shopReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.erkakasrumah.online
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.erkakasrumah.online/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.erkakasrumah.online/m25s/www.7732.club
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.erkakasrumah.onlineReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itygatehousing.app
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itygatehousing.app/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itygatehousing.app/m25s/www.erkakasrumah.online
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itygatehousing.appReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.newordforpurpose.info
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.newordforpurpose.info/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.newordforpurpose.info/m25s/www.39474.club
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.newordforpurpose.infoReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntermoney24cad.homes
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntermoney24cad.homes/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntermoney24cad.homes/m25s/www.ransportationwlsltpro.top
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntermoney24cad.homesReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olnacasinotcs14.top
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olnacasinotcs14.top/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olnacasinotcs14.top/m25s/www.ax-th-6011838.fyi
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olnacasinotcs14.topReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ottah.studio
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ottah.studio/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ottah.studio/m25s/www.52006.club
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ottah.studioReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ransportationwlsltpro.top
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ransportationwlsltpro.top/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ransportationwlsltpro.top/m25s/www.olnacasinotcs14.top
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ransportationwlsltpro.topReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.teamgame-mod.net
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.teamgame-mod.net/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.teamgame-mod.net/m25s/www.araghospitality.net
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.teamgame-mod.netReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tmgl.bond
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tmgl.bond/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tmgl.bond/m25s/www.newordforpurpose.info
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tmgl.bondReferer:
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyz
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyz/m25s/
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyz/m25s/www.itygatehousing.app
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyzReferer:
          Source: explorer.exe, 00000004.00000002.4514503769.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3833545516.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098917447.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2069010894.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000004.00000000.2063621463.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3099874742.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4505790397.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3837680509.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000004.00000002.4510303360.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000004.00000000.2063621463.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4505790397.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000004.00000003.3096095397.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4503493727.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2051122346.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3831833887.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
          Source: explorer.exe, 00000004.00000002.4510303360.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000004.00000002.4510303360.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000004.00000000.2069010894.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4514503769.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000004.00000002.4510303360.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
          Source: explorer.exe, 00000004.00000002.4510303360.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4516511425.000000000F271000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Bank swift.exe PID: 5556, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: Bank swift.exe PID: 5712, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cscript.exe PID: 6340, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_09243BD8 NtQueryInformationProcess,0_2_09243BD8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_09248AB8 NtQueryInformationProcess,0_2_09248AB8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041A320 NtCreateFile,3_2_0041A320
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041A3D0 NtReadFile,3_2_0041A3D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041A450 NtClose,3_2_0041A450
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041A500 NtAllocateVirtualMemory,3_2_0041A500
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041A44B NtClose,3_2_0041A44B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041A4FB NtAllocateVirtualMemory,3_2_0041A4FB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662B60 NtClose,LdrInitializeThunk,3_2_01662B60
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01662BF0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662AD0 NtReadFile,LdrInitializeThunk,3_2_01662AD0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_01662D30
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662D10 NtMapViewOfSection,LdrInitializeThunk,3_2_01662D10
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_01662DF0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662DD0 NtDelayExecution,LdrInitializeThunk,3_2_01662DD0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_01662C70
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_01662CA0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662F30 NtCreateSection,LdrInitializeThunk,3_2_01662F30
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662FE0 NtCreateFile,LdrInitializeThunk,3_2_01662FE0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662FB0 NtResumeThread,LdrInitializeThunk,3_2_01662FB0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662F90 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01662F90
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01662EA0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_01662E80
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01664340 NtSetContextThread,3_2_01664340
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01664650 NtSuspendThread,3_2_01664650
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662BE0 NtQueryValueKey,3_2_01662BE0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662BA0 NtEnumerateValueKey,3_2_01662BA0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662B80 NtQueryInformationFile,3_2_01662B80
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662AF0 NtWriteFile,3_2_01662AF0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662AB0 NtWaitForSingleObject,3_2_01662AB0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662D00 NtSetInformationFile,3_2_01662D00
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662DB0 NtEnumerateKey,3_2_01662DB0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662C60 NtCreateKey,3_2_01662C60
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662C00 NtQueryInformationProcess,3_2_01662C00
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662CF0 NtOpenProcess,3_2_01662CF0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662CC0 NtQueryVirtualMemory,3_2_01662CC0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662F60 NtCreateProcessEx,3_2_01662F60
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662FA0 NtQuerySection,3_2_01662FA0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662E30 NtWriteVirtualMemory,3_2_01662E30
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662EE0 NtQueueApcThread,3_2_01662EE0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01663010 NtOpenDirectoryObject,3_2_01663010
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01663090 NtSetValueKey,3_2_01663090
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016635C0 NtCreateMutant,3_2_016635C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016639B0 NtGetContextThread,3_2_016639B0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01663D70 NtOpenThread,3_2_01663D70
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01663D10 NtOpenProcessToken,3_2_01663D10
          Source: C:\Windows\explorer.exeCode function: 4_2_0F259232 NtCreateFile,4_2_0F259232
          Source: C:\Windows\explorer.exeCode function: 4_2_0F25AE12 NtProtectVirtualMemory,4_2_0F25AE12
          Source: C:\Windows\explorer.exeCode function: 4_2_0F25AE0A NtProtectVirtualMemory,4_2_0F25AE0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532D10 NtMapViewOfSection,LdrInitializeThunk,5_2_05532D10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532DD0 NtDelayExecution,LdrInitializeThunk,5_2_05532DD0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_05532DF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_05532C70
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532C60 NtCreateKey,LdrInitializeThunk,5_2_05532C60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_05532CA0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532F30 NtCreateSection,LdrInitializeThunk,5_2_05532F30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532FE0 NtCreateFile,LdrInitializeThunk,5_2_05532FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_05532EA0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532B60 NtClose,LdrInitializeThunk,5_2_05532B60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_05532BF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532BE0 NtQueryValueKey,LdrInitializeThunk,5_2_05532BE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532AD0 NtReadFile,LdrInitializeThunk,5_2_05532AD0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055335C0 NtCreateMutant,LdrInitializeThunk,5_2_055335C0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05534650 NtSuspendThread,5_2_05534650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05534340 NtSetContextThread,5_2_05534340
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532D00 NtSetInformationFile,5_2_05532D00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532D30 NtUnmapViewOfSection,5_2_05532D30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532DB0 NtEnumerateKey,5_2_05532DB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532C00 NtQueryInformationProcess,5_2_05532C00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532CC0 NtQueryVirtualMemory,5_2_05532CC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532CF0 NtOpenProcess,5_2_05532CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532F60 NtCreateProcessEx,5_2_05532F60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532F90 NtProtectVirtualMemory,5_2_05532F90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532FB0 NtResumeThread,5_2_05532FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532FA0 NtQuerySection,5_2_05532FA0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532E30 NtWriteVirtualMemory,5_2_05532E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532EE0 NtQueueApcThread,5_2_05532EE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532E80 NtReadVirtualMemory,5_2_05532E80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532B80 NtQueryInformationFile,5_2_05532B80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532BA0 NtEnumerateValueKey,5_2_05532BA0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532AF0 NtWriteFile,5_2_05532AF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05532AB0 NtWaitForSingleObject,5_2_05532AB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05533010 NtOpenDirectoryObject,5_2_05533010
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05533090 NtSetValueKey,5_2_05533090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05533D70 NtOpenThread,5_2_05533D70
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05533D10 NtOpenProcessToken,5_2_05533D10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055339B0 NtGetContextThread,5_2_055339B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FEA3D0 NtReadFile,5_2_02FEA3D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FEA320 NtCreateFile,5_2_02FEA320
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FEA450 NtClose,5_2_02FEA450
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FEA500 NtAllocateVirtualMemory,5_2_02FEA500
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FEA4FB NtAllocateVirtualMemory,5_2_02FEA4FB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FEA44B NtClose,5_2_02FEA44B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053BA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,5_2_053BA036
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053B9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,5_2_053B9BAF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053BA042 NtQueryInformationProcess,5_2_053BA042
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053B9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_053B9BB2
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_0175D5FC0_2_0175D5FC
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_0175B8C80_2_0175B8C8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_056AC3080_2_056AC308
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_056AEE500_2_056AEE50
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_056A08E00_2_056A08E0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_056A08F00_2_056A08F0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_056A08B70_2_056A08B7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_07A017880_2_07A01788
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_07A037F00_2_07A037F0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_07A00F280_2_07A00F28
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_07A01BC00_2_07A01BC0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_07A013600_2_07A01360
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_09244B380_2_09244B38
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_09245E080_2_09245E08
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_09244B280_2_09244B28
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_09247A8A0_2_09247A8A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_09245DF80_2_09245DF8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_09248C310_2_09248C31
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_09247EC00_2_09247EC0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_092483900_2_09248390
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_0924A4E80_2_0924A4E8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_0924A4D80_2_0924A4D8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_0924A7480_2_0924A748
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_0924A7580_2_0924A758
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041D9043_2_0041D904
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041DBD73_2_0041DBD7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041E5413_2_0041E541
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041D5663_2_0041D566
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_00409E4B3_2_00409E4B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_00409E503_2_00409E50
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041E7A93_2_0041E7A9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B81583_2_016B8158
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016201003_2_01620100
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CA1183_2_016CA118
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E81CC3_2_016E81CC
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F01AA3_2_016F01AA
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E41A23_2_016E41A2
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C20003_2_016C2000
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EA3523_2_016EA352
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F03E63_2_016F03E6
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163E3F03_2_0163E3F0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D02743_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B02C03_2_016B02C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016305353_2_01630535
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F05913_2_016F0591
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E24463_2_016E2446
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D44203_2_016D4420
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016DE4F63_2_016DE4F6
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016307703_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016547503_2_01654750
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162C7C03_2_0162C7C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164C6E03_2_0164C6E0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016469623_2_01646962
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A03_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016FA9A63_2_016FA9A6
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163A8403_2_0163A840
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016328403_2_01632840
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E8F03_2_0165E8F0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016168B83_2_016168B8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EAB403_2_016EAB40
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E6BD73_2_016E6BD7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162EA803_2_0162EA80
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163AD003_2_0163AD00
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CCD1F3_2_016CCD1F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162ADE03_2_0162ADE0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01648DBF3_2_01648DBF
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630C003_2_01630C00
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01620CF23_2_01620CF2
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0CB53_2_016D0CB5
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A4F403_2_016A4F40
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01672F283_2_01672F28
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01650F303_2_01650F30
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D2F303_2_016D2F30
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163CFE03_2_0163CFE0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01622FC83_2_01622FC8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AEFA03_2_016AEFA0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630E593_2_01630E59
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EEE263_2_016EEE26
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EEEDB3_2_016EEEDB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01642E903_2_01642E90
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016ECE933_2_016ECE93
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016FB16B3_2_016FB16B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0166516C3_2_0166516C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161F1723_2_0161F172
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163B1B03_2_0163B1B0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E70E93_2_016E70E9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EF0E03_2_016EF0E0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016DF0CC3_2_016DF0CC
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016370C03_2_016370C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161D34C3_2_0161D34C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E132D3_2_016E132D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0167739A3_2_0167739A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D12ED3_2_016D12ED
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164B2C03_2_0164B2C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016352A03_2_016352A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E75713_2_016E7571
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F95C33_2_016F95C3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CD5B03_2_016CD5B0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016214603_2_01621460
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EF43F3_2_016EF43F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EF7B03_2_016EF7B0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016756303_2_01675630
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E16CC3_2_016E16CC
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016399503_2_01639950
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164B9503_2_0164B950
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C59103_2_016C5910
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169D8003_2_0169D800
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016338E03_2_016338E0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EFB763_2_016EFB76
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A5BF03_2_016A5BF0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0166DBF93_2_0166DBF9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164FB803_2_0164FB80
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A3A6C3_2_016A3A6C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EFA493_2_016EFA49
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E7A463_2_016E7A46
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016DDAC63_2_016DDAC6
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CDAAC3_2_016CDAAC
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01675AA03_2_01675AA0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D1AA33_2_016D1AA3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E7D733_2_016E7D73
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01633D403_2_01633D40
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E1D5A3_2_016E1D5A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164FDC03_2_0164FDC0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A9C323_2_016A9C32
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EFCF23_2_016EFCF2
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EFF093_2_016EFF09
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EFFB13_2_016EFFB1
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01631F923_2_01631F92
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01639EB03_2_01639EB0
          Source: C:\Windows\explorer.exeCode function: 4_2_0F2592324_2_0F259232
          Source: C:\Windows\explorer.exeCode function: 4_2_0F253B304_2_0F253B30
          Source: C:\Windows\explorer.exeCode function: 4_2_0F253B324_2_0F253B32
          Source: C:\Windows\explorer.exeCode function: 4_2_0F250D024_2_0F250D02
          Source: C:\Windows\explorer.exeCode function: 4_2_0F2569124_2_0F256912
          Source: C:\Windows\explorer.exeCode function: 4_2_0F25C5CD4_2_0F25C5CD
          Source: C:\Windows\explorer.exeCode function: 4_2_0F2580364_2_0F258036
          Source: C:\Windows\explorer.exeCode function: 4_2_0F24F0824_2_0F24F082
          Source: C:\Windows\explorer.exeCode function: 4_2_10AD10824_2_10AD1082
          Source: C:\Windows\explorer.exeCode function: 4_2_10ADA0364_2_10ADA036
          Source: C:\Windows\explorer.exeCode function: 4_2_10ADE5CD4_2_10ADE5CD
          Source: C:\Windows\explorer.exeCode function: 4_2_10AD2D024_2_10AD2D02
          Source: C:\Windows\explorer.exeCode function: 4_2_10AD89124_2_10AD8912
          Source: C:\Windows\explorer.exeCode function: 4_2_10ADB2324_2_10ADB232
          Source: C:\Windows\explorer.exeCode function: 4_2_10AD5B304_2_10AD5B30
          Source: C:\Windows\explorer.exeCode function: 4_2_10AD5B324_2_10AD5B32
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_007871105_2_00787110
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055005355_2_05500535
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055C05915_2_055C0591
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055B24465_2_055B2446
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055A44205_2_055A4420
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055AE4F65_2_055AE4F6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055247505_2_05524750
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055007705_2_05500770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_054FC7C05_2_054FC7C0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0551C6E05_2_0551C6E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055881585_2_05588158
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0559A1185_2_0559A118
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_054F01005_2_054F0100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055B81CC5_2_055B81CC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055C01AA5_2_055C01AA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055B41A25_2_055B41A2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055920005_2_05592000
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BA3525_2_055BA352
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0550E3F05_2_0550E3F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055C03E65_2_055C03E6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055A02745_2_055A0274
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055802C05_2_055802C0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0559CD1F5_2_0559CD1F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0550AD005_2_0550AD00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_054FADE05_2_054FADE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05518DBF5_2_05518DBF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05500C005_2_05500C00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_054F0CF25_2_054F0CF2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055A0CB55_2_055A0CB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05574F405_2_05574F40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05520F305_2_05520F30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055A2F305_2_055A2F30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05542F285_2_05542F28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_054F2FC85_2_054F2FC8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0550CFE05_2_0550CFE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0557EFA05_2_0557EFA0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05500E595_2_05500E59
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BEE265_2_055BEE26
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BEEDB5_2_055BEEDB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05512E905_2_05512E90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BCE935_2_055BCE93
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055169625_2_05516962
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055029A05_2_055029A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055CA9A65_2_055CA9A6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0550A8405_2_0550A840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055028405_2_05502840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0552E8F05_2_0552E8F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_054E68B85_2_054E68B8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BAB405_2_055BAB40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055B6BD75_2_055B6BD7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_054FEA805_2_054FEA80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055B75715_2_055B7571
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0559D5B05_2_0559D5B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_054F14605_2_054F1460
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BF43F5_2_055BF43F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BF7B05_2_055BF7B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055456305_2_05545630
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055B16CC5_2_055B16CC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055CB16B5_2_055CB16B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_054EF1725_2_054EF172
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0553516C5_2_0553516C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0550B1B05_2_0550B1B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055070C05_2_055070C0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055AF0CC5_2_055AF0CC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055B70E95_2_055B70E9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BF0E05_2_055BF0E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_054ED34C5_2_054ED34C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055B132D5_2_055B132D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0554739A5_2_0554739A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0551B2C05_2_0551B2C0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055A12ED5_2_055A12ED
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055052A05_2_055052A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055B1D5A5_2_055B1D5A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05503D405_2_05503D40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055B7D735_2_055B7D73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0551FDC05_2_0551FDC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05579C325_2_05579C32
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BFCF25_2_055BFCF2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BFF095_2_055BFF09
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05501F925_2_05501F92
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BFFB15_2_055BFFB1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05509EB05_2_05509EB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055099505_2_05509950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0551B9505_2_0551B950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055959105_2_05595910
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0556D8005_2_0556D800
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055038E05_2_055038E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BFB765_2_055BFB76
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05575BF05_2_05575BF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0553DBF95_2_0553DBF9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0551FB805_2_0551FB80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055BFA495_2_055BFA49
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055B7A465_2_055B7A46
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05573A6C5_2_05573A6C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055ADAC65_2_055ADAC6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_05545AA05_2_05545AA0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0559DAAC5_2_0559DAAC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_055A1AA35_2_055A1AA3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FEE7A95_2_02FEE7A9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FED5665_2_02FED566
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FEE5415_2_02FEE541
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FED9045_2_02FED904
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FD9E505_2_02FD9E50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FD9E4B5_2_02FD9E4B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FD2FB05_2_02FD2FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FD2D905_2_02FD2D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053BA0365_2_053BA036
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053B2D025_2_053B2D02
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053BE5CD5_2_053BE5CD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053B89125_2_053B8912
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053B10825_2_053B1082
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053B5B325_2_053B5B32
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053B5B305_2_053B5B30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_053BB2325_2_053BB232
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: String function: 01677E54 appears 111 times
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: String function: 016AF290 appears 105 times
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: String function: 01665130 appears 58 times
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: String function: 0161B970 appears 280 times
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: String function: 0169EA12 appears 86 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 054EB970 appears 280 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 05547E54 appears 103 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0556EA12 appears 86 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0557F290 appears 105 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 05535130 appears 58 times
          Source: Bank swift.exe, 00000000.00000002.2047457137.000000000148E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Bank swift.exe
          Source: Bank swift.exe, 00000000.00000002.2064433544.000000000BAE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Bank swift.exe
          Source: Bank swift.exe, 00000000.00000000.2036295484.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameThGx.exeF vs Bank swift.exe
          Source: Bank swift.exe, 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Bank swift.exe
          Source: Bank swift.exe, 00000003.00000002.2110051359.00000000015B0000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Bank swift.exe
          Source: Bank swift.exe, 00000003.00000002.2109559935.0000000001198000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Bank swift.exe
          Source: Bank swift.exe, 00000003.00000002.2110209718.000000000171D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Bank swift.exe
          Source: Bank swift.exeBinary or memory string: OriginalFilenameThGx.exeF vs Bank swift.exe
          Source: Bank swift.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4516511425.000000000F271000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Bank swift.exe PID: 5556, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: Bank swift.exe PID: 5712, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cscript.exe PID: 6340, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Bank swift.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, IqF4oqVv8sTWNNV5OL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fPj6AkPx2qAFhopIaK.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fPj6AkPx2qAFhopIaK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fPj6AkPx2qAFhopIaK.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fPj6AkPx2qAFhopIaK.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fPj6AkPx2qAFhopIaK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fPj6AkPx2qAFhopIaK.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, IqF4oqVv8sTWNNV5OL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, IqF4oqVv8sTWNNV5OL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fPj6AkPx2qAFhopIaK.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fPj6AkPx2qAFhopIaK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fPj6AkPx2qAFhopIaK.csSecurity API names: _0020.AddAccessRule
          Source: classification engineClassification label: mal100.troj.evad.winEXE@303/1@11/0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0078BCDF FormatMessageW,SysAllocString,LocalFree,GetLastError,WideCharToMultiByte,__alloca_probe_16,WideCharToMultiByte,FormatMessageA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,LocalFree,5_2_0078BCDF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_007864E0 CLSIDFromString,CoCreateInstance,5_2_007864E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_007982B5 FindResourceExW,LoadResource,5_2_007982B5
          Source: C:\Users\user\Desktop\Bank swift.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bank swift.exe.logJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_03
          Source: Bank swift.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Bank swift.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\Bank swift.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Bank swift.exeReversingLabs: Detection: 47%
          Source: unknownProcess created: C:\Users\user\Desktop\Bank swift.exe "C:\Users\user\Desktop\Bank swift.exe"
          Source: C:\Users\user\Desktop\Bank swift.exeProcess created: C:\Users\user\Desktop\Bank swift.exe "C:\Users\user\Desktop\Bank swift.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Bank swift.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Bank swift.exeProcess created: C:\Users\user\Desktop\Bank swift.exe "C:\Users\user\Desktop\Bank swift.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Bank swift.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Bank swift.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Bank swift.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Bank swift.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: cscript.pdbUGP source: Bank swift.exe, 00000003.00000002.2110051359.00000000015B0000.00000040.10000000.00040000.00000000.sdmp, Bank swift.exe, 00000003.00000002.2109559935.0000000001198000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ThGx.pdb source: Bank swift.exe
          Source: Binary string: ThGx.pdbSHA256 source: Bank swift.exe
          Source: Binary string: wntdll.pdbUGP source: Bank swift.exe, 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2108905844.000000000515F000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2112308434.000000000530E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Bank swift.exe, Bank swift.exe, 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000003.2108905844.000000000515F000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.2112308434.000000000530E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: cscript.pdb source: Bank swift.exe, 00000003.00000002.2110051359.00000000015B0000.00000040.10000000.00040000.00000000.sdmp, Bank swift.exe, 00000003.00000002.2109559935.0000000001198000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fPj6AkPx2qAFhopIaK.cs.Net Code: otefcApoE8 System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fPj6AkPx2qAFhopIaK.cs.Net Code: otefcApoE8 System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Bank swift.exe.5bb0000.2.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fPj6AkPx2qAFhopIaK.cs.Net Code: otefcApoE8 System.Reflection.Assembly.Load(byte[])
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0078AA82 LoadLibraryW,GetProcAddress,FreeLibrary,5_2_0078AA82
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_056A14D9 push 1805649Fh; retf 0_2_056A14E5
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_07A08975 push FFFFFF8Bh; iretd 0_2_07A08977
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_07A00854 push E8040777h; ret 0_2_07A00859
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 0_2_09243AD9 push ebx; retf 0_2_09243ADA
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041B854 push edi; ret 3_2_0041B85C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041E96F push ebp; ret 3_2_0041E986
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041E903 push edx; ret 3_2_0041E907
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041D475 push eax; ret 3_2_0041D4C8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041D4C2 push eax; ret 3_2_0041D4C8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041D4CB push eax; ret 3_2_0041D532
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0041D52C push eax; ret 3_2_0041D532
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_015F225F pushad ; ret 3_2_015F27F9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_015F27FA pushad ; ret 3_2_015F27F9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016209AD push ecx; mov dword ptr [esp], ecx3_2_016209B6
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_015F283D push eax; iretd 3_2_015F2858
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_015F1365 push eax; iretd 3_2_015F1369
          Source: C:\Windows\explorer.exeCode function: 4_2_0F25CB02 push esp; retn 0000h4_2_0F25CB03
          Source: C:\Windows\explorer.exeCode function: 4_2_0F25CB1E push esp; retn 0000h4_2_0F25CB1F
          Source: C:\Windows\explorer.exeCode function: 4_2_0F25C9B5 push esp; retn 0000h4_2_0F25CAE7
          Source: C:\Windows\explorer.exeCode function: 4_2_10ADE9B5 push esp; retn 0000h4_2_10ADEAE7
          Source: C:\Windows\explorer.exeCode function: 4_2_10ADEB02 push esp; retn 0000h4_2_10ADEB03
          Source: C:\Windows\explorer.exeCode function: 4_2_10ADEB1E push esp; retn 0000h4_2_10ADEB1F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0078DF11 push ecx; ret 5_2_0078DF24
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_054F09AD push ecx; mov dword ptr [esp], ecx5_2_054F09B6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FED4CB push eax; ret 5_2_02FED532
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FED4C2 push eax; ret 5_2_02FED4C8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FED475 push eax; ret 5_2_02FED4C8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FED52C push eax; ret 5_2_02FED532
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FEB854 push edi; ret 5_2_02FEB85C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FEE96F push ebp; ret 5_2_02FEE986
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_02FEE903 push edx; ret 5_2_02FEE907
          Source: Bank swift.exeStatic PE information: section name: .text entropy: 7.6517904049016785
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, neHFNba0Bf9OBB952Z.csHigh entropy of concatenated method names: 'n9emNnQILd', 'E6KmbmAy8S', 'XP4mCE6oX4', 'LR3m6uNTLQ', 'BxImKlYguM', 'AdnmXYLRAN', 'wFTmPKkNgL', 'bWTm5Rxeym', 'POCm9ycvUc', 'otCmx8h5fl'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, ufAD2yTBcVVcJ17umw.csHigh entropy of concatenated method names: 'KamGalwwZl', 'P1hGvSEf0I', 'V3MmdlmSAV', 'F9CmiI4yq3', 'PYfGHqn4jE', 'LURGLFw8nZ', 'Yy8GQJLqTK', 'AFAGSfQp8c', 'nlxGtQUdBO', 'VXOG1CU4mr'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, tUGtQd3DJjokEpwttN.csHigh entropy of concatenated method names: 'yx0XIcH38G', 'Ci4XJ1gmOF', 'HEDXcs11O0', 'h7wX7o0On1', 'xJnXgMCkvP', 'SN2XhXK5Bv', 'IhxXrauJrc', 'dGxXVlxwSQ', 'JYcXDXF9YS', 'fwdXsCbMEG'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, Jj5f76sXuGlilYkdkY.csHigh entropy of concatenated method names: 'vMe6gcI6E1', 'xx66rIdprk', 'GH9CUwOoBY', 'wXpC4rZxr9', 'SEHCjisKq7', 'QFyCeT7S0b', 'DDZCYcKH9J', 'jQvCFXolRg', 'qHPC3w7adK', 'YyZCp9JocV'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, KP4B3Tid2BcRujRrEAA.csHigh entropy of concatenated method names: 'brWyI8lMTZ', 'yQ6yJkb6bX', 'zCUycfrZ7F', 'B7yy7fKvff', 'reAygyuP2J', 'uDRyhpm5s2', 'UYqyrrlyYM', 'vuEyVx6yAS', 'fvQyDlpx8m', 'aV5ys8JQWJ'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, IqF4oqVv8sTWNNV5OL.csHigh entropy of concatenated method names: 'TWxbSu1oZ2', 'tnIbtunLSs', 'GDqb12GSNp', 'h3YbZnSgVJ', 'z1CbE2K7dF', 'LPkbTouHZ4', 'oOobMweYxK', 'y3ubaYAAKX', 'lH9bq84Kdn', 'H4ubvni5ci'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, BBL8gEifQ27YNSIdnxN.csHigh entropy of concatenated method names: 'gFTCADNNeC1ak', 'clhoXQxR8f2usfbiy9J', 'Hka2hixHAXrSN29mMNp', 'dsvMApizhlpwMO3YSEt', 'smZheFxTXhQJbuojULE', 'FJD6hFxaYqX1OZuwevV'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, V8jl6SQ6uhSpgFnFWY.csHigh entropy of concatenated method names: 'DtlnVLERen', 'qWVnDjROxT', 'fVCnkvT2t0', 'MfNnok8OlQ', 'jSsn4jiXuR', 'IYqnjd0mPy', 'clInYNkXaI', 'QEJnFVKoXQ', 'wpTnpcch5r', 'WqdnH9gydP'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, O3dqutDKKEPWagaMia.csHigh entropy of concatenated method names: 'C8DC7wFE8O', 'z00ChXQO7p', 'DhRCVRijG0', 'w5HCDNUGrZ', 'BSTC0QSMPl', 'f0tC8ZHTbC', 'zWuCGWkKvL', 'PhvCmPGKcG', 'WyoCyjeVYq', 'hi6CRAMQ2p'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, vcvNOqzyLAdDgD4qMv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WcxynGBhYM', 'nXty0XokxV', 'Jppy8gfDWo', 'BKpyGgipcN', 'XMZymPwMP8', 'zH8yySgtqF', 'xaVyRGwin7'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, sYLTpjiWm7p7olKQKCE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uKYRSCSFmf', 'C5fRtNtREr', 'NW6R1BU0DE', 'lJMRZSA6AR', 'DVsREFns5t', 'MbfRTwOwsq', 'FniRM69BD4'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, MypjKDonacXux0UMPT.csHigh entropy of concatenated method names: 'LGwoc6HbtRRwc79r0VW', 'Cmc5a6H3jYkA1NT24Fb', 'DIiKmCOIcQ', 'O1SKypWhqV', 'aXrKRlUZPG', 'XyYjCCHvMvZ2cobyi34', 'aEUxhZHtCXMeWCLINrG', 'kIgE4VHLB8RVNb59vvF'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, vJNiXViiGYRwVe8ZWvJ.csHigh entropy of concatenated method names: 'ToString', 'E5cRW5hEBc', 'gkERf0uwXP', 'YJrRAkFmFp', 'fxcRNU6NNe', 'yrLRbQHMmJ', 'qUwRCGh5Fd', 'tPfR6QD1B2', 'sx31xKiS8VYcnjua29b', 'ifI4Mkiux9Sj9S0Q2dO'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, cqCFZcY25BEWh2DTtw.csHigh entropy of concatenated method names: 'I1JXNYgojh', 'YWsXCPs1w4', 'kLoXKtDMqu', 'kUVKvkyBp2', 'N8SKzqSwaM', 'DksXd0IYMo', 'QSxXiolaPR', 'fnYXuL3FIi', 'VpMXWjwaeZ', 'HXQXfuWxky'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, CqPLsLbPmaWACgBFgl.csHigh entropy of concatenated method names: 'Dispose', 'XpDiq0RZmG', 'k5TuoYNkGw', 'CteBBvs09T', 'gneivHFNb0', 'vf9izOBB95', 'ProcessDialogKey', 'vZkudPdGYG', 'Bmtuilurm6', 'Vlvuu9Tav3'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, w016agZ6Yv5lj1y6RX.csHigh entropy of concatenated method names: 'l1aG9x5J8k', 'c0QGxRPTEj', 'ToString', 'y91GNqtfXZ', 'OghGbFeORU', 'K3FGCNc3WZ', 'qrUG6NDZRG', 'hEVGKMCufV', 'IvnGXnKeub', 'zXBGPAp9YL'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, pdtIeykDa1LgXtJ021.csHigh entropy of concatenated method names: 'tuPKAmMgNv', 'kniKbrL0r6', 'PeYK64MNIm', 'aovKXCJ56u', 'XOxKPKUBCK', 'OS36EOqByM', 'iUq6TMvEh1', 'ND36Mv0Nu3', 'v4L6aPvxGI', 'oIX6qHANU1'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, mTav3nvGt7cQdHnaMV.csHigh entropy of concatenated method names: 'pbMyiycejf', 'BHMyWQus8c', 'stUyfUQGu1', 'aMsyNASgaf', 'I6Zyb6Mmh7', 'JIsy6WeWk8', 'duCyKGADSo', 'zlImMNg9jn', 'NRAmayb1Am', 'WYfmqgZoSt'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, JsvX2Tfm2XdPsxwden.csHigh entropy of concatenated method names: 'mp4iXqF4oq', 'Y8siPTWNNV', 'SKKi9EPWag', 'XMiixajj5f', 'Lkdi0kY8dt', 'yeyi8Da1Lg', 'dS5O8YCU8waR2Tvoj3', 'yn6pRMEgNY1bpgSXTS', 'q99iiJ7BFw', 'SmaiWeUHWE'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fPj6AkPx2qAFhopIaK.csHigh entropy of concatenated method names: 'cQDWAS8DYL', 'bxJWNS7vMn', 'OkQWb1PIpy', 'JRGWCvQ0fr', 'H1yW6tjjq6', 'PxwWKuUglJ', 'xWsWX9nd4g', 'eEyWP0WFpp', 'BXsW5lcC5w', 'Gm5W94tbV5'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, GPdGYGqgmtlurm6Tlv.csHigh entropy of concatenated method names: 'GupmkL9xFU', 'yjgmoyVC2D', 'y3QmU3YNQF', 'n1Mm4GOkkU', 'hMVmS2wssb', 'DRhmjRuNQY', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Bank swift.exe.bae0000.3.raw.unpack, fhvTyDungqxGGCMZiu.csHigh entropy of concatenated method names: 'IXWcjnNuV', 'hBL7YfijD', 'q6ahbAyqx', 'eTPrHPdFv', 'OQkDxkVrj', 'no0s1oH7T', 'rllTpNQ5quI5EFLgn8', 'vo0vQnXtpuPT81YOmC', 'mhsm4aoC1', 'EIyRDHc9q'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, neHFNba0Bf9OBB952Z.csHigh entropy of concatenated method names: 'n9emNnQILd', 'E6KmbmAy8S', 'XP4mCE6oX4', 'LR3m6uNTLQ', 'BxImKlYguM', 'AdnmXYLRAN', 'wFTmPKkNgL', 'bWTm5Rxeym', 'POCm9ycvUc', 'otCmx8h5fl'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, ufAD2yTBcVVcJ17umw.csHigh entropy of concatenated method names: 'KamGalwwZl', 'P1hGvSEf0I', 'V3MmdlmSAV', 'F9CmiI4yq3', 'PYfGHqn4jE', 'LURGLFw8nZ', 'Yy8GQJLqTK', 'AFAGSfQp8c', 'nlxGtQUdBO', 'VXOG1CU4mr'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, tUGtQd3DJjokEpwttN.csHigh entropy of concatenated method names: 'yx0XIcH38G', 'Ci4XJ1gmOF', 'HEDXcs11O0', 'h7wX7o0On1', 'xJnXgMCkvP', 'SN2XhXK5Bv', 'IhxXrauJrc', 'dGxXVlxwSQ', 'JYcXDXF9YS', 'fwdXsCbMEG'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, Jj5f76sXuGlilYkdkY.csHigh entropy of concatenated method names: 'vMe6gcI6E1', 'xx66rIdprk', 'GH9CUwOoBY', 'wXpC4rZxr9', 'SEHCjisKq7', 'QFyCeT7S0b', 'DDZCYcKH9J', 'jQvCFXolRg', 'qHPC3w7adK', 'YyZCp9JocV'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, KP4B3Tid2BcRujRrEAA.csHigh entropy of concatenated method names: 'brWyI8lMTZ', 'yQ6yJkb6bX', 'zCUycfrZ7F', 'B7yy7fKvff', 'reAygyuP2J', 'uDRyhpm5s2', 'UYqyrrlyYM', 'vuEyVx6yAS', 'fvQyDlpx8m', 'aV5ys8JQWJ'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, IqF4oqVv8sTWNNV5OL.csHigh entropy of concatenated method names: 'TWxbSu1oZ2', 'tnIbtunLSs', 'GDqb12GSNp', 'h3YbZnSgVJ', 'z1CbE2K7dF', 'LPkbTouHZ4', 'oOobMweYxK', 'y3ubaYAAKX', 'lH9bq84Kdn', 'H4ubvni5ci'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, BBL8gEifQ27YNSIdnxN.csHigh entropy of concatenated method names: 'gFTCADNNeC1ak', 'clhoXQxR8f2usfbiy9J', 'Hka2hixHAXrSN29mMNp', 'dsvMApizhlpwMO3YSEt', 'smZheFxTXhQJbuojULE', 'FJD6hFxaYqX1OZuwevV'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, V8jl6SQ6uhSpgFnFWY.csHigh entropy of concatenated method names: 'DtlnVLERen', 'qWVnDjROxT', 'fVCnkvT2t0', 'MfNnok8OlQ', 'jSsn4jiXuR', 'IYqnjd0mPy', 'clInYNkXaI', 'QEJnFVKoXQ', 'wpTnpcch5r', 'WqdnH9gydP'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, O3dqutDKKEPWagaMia.csHigh entropy of concatenated method names: 'C8DC7wFE8O', 'z00ChXQO7p', 'DhRCVRijG0', 'w5HCDNUGrZ', 'BSTC0QSMPl', 'f0tC8ZHTbC', 'zWuCGWkKvL', 'PhvCmPGKcG', 'WyoCyjeVYq', 'hi6CRAMQ2p'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, vcvNOqzyLAdDgD4qMv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WcxynGBhYM', 'nXty0XokxV', 'Jppy8gfDWo', 'BKpyGgipcN', 'XMZymPwMP8', 'zH8yySgtqF', 'xaVyRGwin7'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, sYLTpjiWm7p7olKQKCE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uKYRSCSFmf', 'C5fRtNtREr', 'NW6R1BU0DE', 'lJMRZSA6AR', 'DVsREFns5t', 'MbfRTwOwsq', 'FniRM69BD4'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, MypjKDonacXux0UMPT.csHigh entropy of concatenated method names: 'LGwoc6HbtRRwc79r0VW', 'Cmc5a6H3jYkA1NT24Fb', 'DIiKmCOIcQ', 'O1SKypWhqV', 'aXrKRlUZPG', 'XyYjCCHvMvZ2cobyi34', 'aEUxhZHtCXMeWCLINrG', 'kIgE4VHLB8RVNb59vvF'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, vJNiXViiGYRwVe8ZWvJ.csHigh entropy of concatenated method names: 'ToString', 'E5cRW5hEBc', 'gkERf0uwXP', 'YJrRAkFmFp', 'fxcRNU6NNe', 'yrLRbQHMmJ', 'qUwRCGh5Fd', 'tPfR6QD1B2', 'sx31xKiS8VYcnjua29b', 'ifI4Mkiux9Sj9S0Q2dO'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, cqCFZcY25BEWh2DTtw.csHigh entropy of concatenated method names: 'I1JXNYgojh', 'YWsXCPs1w4', 'kLoXKtDMqu', 'kUVKvkyBp2', 'N8SKzqSwaM', 'DksXd0IYMo', 'QSxXiolaPR', 'fnYXuL3FIi', 'VpMXWjwaeZ', 'HXQXfuWxky'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, CqPLsLbPmaWACgBFgl.csHigh entropy of concatenated method names: 'Dispose', 'XpDiq0RZmG', 'k5TuoYNkGw', 'CteBBvs09T', 'gneivHFNb0', 'vf9izOBB95', 'ProcessDialogKey', 'vZkudPdGYG', 'Bmtuilurm6', 'Vlvuu9Tav3'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, w016agZ6Yv5lj1y6RX.csHigh entropy of concatenated method names: 'l1aG9x5J8k', 'c0QGxRPTEj', 'ToString', 'y91GNqtfXZ', 'OghGbFeORU', 'K3FGCNc3WZ', 'qrUG6NDZRG', 'hEVGKMCufV', 'IvnGXnKeub', 'zXBGPAp9YL'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, pdtIeykDa1LgXtJ021.csHigh entropy of concatenated method names: 'tuPKAmMgNv', 'kniKbrL0r6', 'PeYK64MNIm', 'aovKXCJ56u', 'XOxKPKUBCK', 'OS36EOqByM', 'iUq6TMvEh1', 'ND36Mv0Nu3', 'v4L6aPvxGI', 'oIX6qHANU1'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, mTav3nvGt7cQdHnaMV.csHigh entropy of concatenated method names: 'pbMyiycejf', 'BHMyWQus8c', 'stUyfUQGu1', 'aMsyNASgaf', 'I6Zyb6Mmh7', 'JIsy6WeWk8', 'duCyKGADSo', 'zlImMNg9jn', 'NRAmayb1Am', 'WYfmqgZoSt'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, JsvX2Tfm2XdPsxwden.csHigh entropy of concatenated method names: 'mp4iXqF4oq', 'Y8siPTWNNV', 'SKKi9EPWag', 'XMiixajj5f', 'Lkdi0kY8dt', 'yeyi8Da1Lg', 'dS5O8YCU8waR2Tvoj3', 'yn6pRMEgNY1bpgSXTS', 'q99iiJ7BFw', 'SmaiWeUHWE'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fPj6AkPx2qAFhopIaK.csHigh entropy of concatenated method names: 'cQDWAS8DYL', 'bxJWNS7vMn', 'OkQWb1PIpy', 'JRGWCvQ0fr', 'H1yW6tjjq6', 'PxwWKuUglJ', 'xWsWX9nd4g', 'eEyWP0WFpp', 'BXsW5lcC5w', 'Gm5W94tbV5'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, GPdGYGqgmtlurm6Tlv.csHigh entropy of concatenated method names: 'GupmkL9xFU', 'yjgmoyVC2D', 'y3QmU3YNQF', 'n1Mm4GOkkU', 'hMVmS2wssb', 'DRhmjRuNQY', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, fhvTyDungqxGGCMZiu.csHigh entropy of concatenated method names: 'IXWcjnNuV', 'hBL7YfijD', 'q6ahbAyqx', 'eTPrHPdFv', 'OQkDxkVrj', 'no0s1oH7T', 'rllTpNQ5quI5EFLgn8', 'vo0vQnXtpuPT81YOmC', 'mhsm4aoC1', 'EIyRDHc9q'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, neHFNba0Bf9OBB952Z.csHigh entropy of concatenated method names: 'n9emNnQILd', 'E6KmbmAy8S', 'XP4mCE6oX4', 'LR3m6uNTLQ', 'BxImKlYguM', 'AdnmXYLRAN', 'wFTmPKkNgL', 'bWTm5Rxeym', 'POCm9ycvUc', 'otCmx8h5fl'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, ufAD2yTBcVVcJ17umw.csHigh entropy of concatenated method names: 'KamGalwwZl', 'P1hGvSEf0I', 'V3MmdlmSAV', 'F9CmiI4yq3', 'PYfGHqn4jE', 'LURGLFw8nZ', 'Yy8GQJLqTK', 'AFAGSfQp8c', 'nlxGtQUdBO', 'VXOG1CU4mr'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, tUGtQd3DJjokEpwttN.csHigh entropy of concatenated method names: 'yx0XIcH38G', 'Ci4XJ1gmOF', 'HEDXcs11O0', 'h7wX7o0On1', 'xJnXgMCkvP', 'SN2XhXK5Bv', 'IhxXrauJrc', 'dGxXVlxwSQ', 'JYcXDXF9YS', 'fwdXsCbMEG'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, Jj5f76sXuGlilYkdkY.csHigh entropy of concatenated method names: 'vMe6gcI6E1', 'xx66rIdprk', 'GH9CUwOoBY', 'wXpC4rZxr9', 'SEHCjisKq7', 'QFyCeT7S0b', 'DDZCYcKH9J', 'jQvCFXolRg', 'qHPC3w7adK', 'YyZCp9JocV'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, KP4B3Tid2BcRujRrEAA.csHigh entropy of concatenated method names: 'brWyI8lMTZ', 'yQ6yJkb6bX', 'zCUycfrZ7F', 'B7yy7fKvff', 'reAygyuP2J', 'uDRyhpm5s2', 'UYqyrrlyYM', 'vuEyVx6yAS', 'fvQyDlpx8m', 'aV5ys8JQWJ'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, IqF4oqVv8sTWNNV5OL.csHigh entropy of concatenated method names: 'TWxbSu1oZ2', 'tnIbtunLSs', 'GDqb12GSNp', 'h3YbZnSgVJ', 'z1CbE2K7dF', 'LPkbTouHZ4', 'oOobMweYxK', 'y3ubaYAAKX', 'lH9bq84Kdn', 'H4ubvni5ci'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, BBL8gEifQ27YNSIdnxN.csHigh entropy of concatenated method names: 'gFTCADNNeC1ak', 'clhoXQxR8f2usfbiy9J', 'Hka2hixHAXrSN29mMNp', 'dsvMApizhlpwMO3YSEt', 'smZheFxTXhQJbuojULE', 'FJD6hFxaYqX1OZuwevV'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, V8jl6SQ6uhSpgFnFWY.csHigh entropy of concatenated method names: 'DtlnVLERen', 'qWVnDjROxT', 'fVCnkvT2t0', 'MfNnok8OlQ', 'jSsn4jiXuR', 'IYqnjd0mPy', 'clInYNkXaI', 'QEJnFVKoXQ', 'wpTnpcch5r', 'WqdnH9gydP'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, O3dqutDKKEPWagaMia.csHigh entropy of concatenated method names: 'C8DC7wFE8O', 'z00ChXQO7p', 'DhRCVRijG0', 'w5HCDNUGrZ', 'BSTC0QSMPl', 'f0tC8ZHTbC', 'zWuCGWkKvL', 'PhvCmPGKcG', 'WyoCyjeVYq', 'hi6CRAMQ2p'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, vcvNOqzyLAdDgD4qMv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WcxynGBhYM', 'nXty0XokxV', 'Jppy8gfDWo', 'BKpyGgipcN', 'XMZymPwMP8', 'zH8yySgtqF', 'xaVyRGwin7'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, sYLTpjiWm7p7olKQKCE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uKYRSCSFmf', 'C5fRtNtREr', 'NW6R1BU0DE', 'lJMRZSA6AR', 'DVsREFns5t', 'MbfRTwOwsq', 'FniRM69BD4'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, MypjKDonacXux0UMPT.csHigh entropy of concatenated method names: 'LGwoc6HbtRRwc79r0VW', 'Cmc5a6H3jYkA1NT24Fb', 'DIiKmCOIcQ', 'O1SKypWhqV', 'aXrKRlUZPG', 'XyYjCCHvMvZ2cobyi34', 'aEUxhZHtCXMeWCLINrG', 'kIgE4VHLB8RVNb59vvF'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, vJNiXViiGYRwVe8ZWvJ.csHigh entropy of concatenated method names: 'ToString', 'E5cRW5hEBc', 'gkERf0uwXP', 'YJrRAkFmFp', 'fxcRNU6NNe', 'yrLRbQHMmJ', 'qUwRCGh5Fd', 'tPfR6QD1B2', 'sx31xKiS8VYcnjua29b', 'ifI4Mkiux9Sj9S0Q2dO'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, cqCFZcY25BEWh2DTtw.csHigh entropy of concatenated method names: 'I1JXNYgojh', 'YWsXCPs1w4', 'kLoXKtDMqu', 'kUVKvkyBp2', 'N8SKzqSwaM', 'DksXd0IYMo', 'QSxXiolaPR', 'fnYXuL3FIi', 'VpMXWjwaeZ', 'HXQXfuWxky'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, CqPLsLbPmaWACgBFgl.csHigh entropy of concatenated method names: 'Dispose', 'XpDiq0RZmG', 'k5TuoYNkGw', 'CteBBvs09T', 'gneivHFNb0', 'vf9izOBB95', 'ProcessDialogKey', 'vZkudPdGYG', 'Bmtuilurm6', 'Vlvuu9Tav3'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, w016agZ6Yv5lj1y6RX.csHigh entropy of concatenated method names: 'l1aG9x5J8k', 'c0QGxRPTEj', 'ToString', 'y91GNqtfXZ', 'OghGbFeORU', 'K3FGCNc3WZ', 'qrUG6NDZRG', 'hEVGKMCufV', 'IvnGXnKeub', 'zXBGPAp9YL'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, pdtIeykDa1LgXtJ021.csHigh entropy of concatenated method names: 'tuPKAmMgNv', 'kniKbrL0r6', 'PeYK64MNIm', 'aovKXCJ56u', 'XOxKPKUBCK', 'OS36EOqByM', 'iUq6TMvEh1', 'ND36Mv0Nu3', 'v4L6aPvxGI', 'oIX6qHANU1'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, mTav3nvGt7cQdHnaMV.csHigh entropy of concatenated method names: 'pbMyiycejf', 'BHMyWQus8c', 'stUyfUQGu1', 'aMsyNASgaf', 'I6Zyb6Mmh7', 'JIsy6WeWk8', 'duCyKGADSo', 'zlImMNg9jn', 'NRAmayb1Am', 'WYfmqgZoSt'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, JsvX2Tfm2XdPsxwden.csHigh entropy of concatenated method names: 'mp4iXqF4oq', 'Y8siPTWNNV', 'SKKi9EPWag', 'XMiixajj5f', 'Lkdi0kY8dt', 'yeyi8Da1Lg', 'dS5O8YCU8waR2Tvoj3', 'yn6pRMEgNY1bpgSXTS', 'q99iiJ7BFw', 'SmaiWeUHWE'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fPj6AkPx2qAFhopIaK.csHigh entropy of concatenated method names: 'cQDWAS8DYL', 'bxJWNS7vMn', 'OkQWb1PIpy', 'JRGWCvQ0fr', 'H1yW6tjjq6', 'PxwWKuUglJ', 'xWsWX9nd4g', 'eEyWP0WFpp', 'BXsW5lcC5w', 'Gm5W94tbV5'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, GPdGYGqgmtlurm6Tlv.csHigh entropy of concatenated method names: 'GupmkL9xFU', 'yjgmoyVC2D', 'y3QmU3YNQF', 'n1Mm4GOkkU', 'hMVmS2wssb', 'DRhmjRuNQY', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, fhvTyDungqxGGCMZiu.csHigh entropy of concatenated method names: 'IXWcjnNuV', 'hBL7YfijD', 'q6ahbAyqx', 'eTPrHPdFv', 'OQkDxkVrj', 'no0s1oH7T', 'rllTpNQ5quI5EFLgn8', 'vo0vQnXtpuPT81YOmC', 'mhsm4aoC1', 'EIyRDHc9q'
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: Yara matchFile source: Process Memory Space: Bank swift.exe PID: 5556, type: MEMORYSTR
          Source: C:\Users\user\Desktop\Bank swift.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Users\user\Desktop\Bank swift.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Users\user\Desktop\Bank swift.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Users\user\Desktop\Bank swift.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Users\user\Desktop\Bank swift.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Source: C:\Users\user\Desktop\Bank swift.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
          Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
          Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
          Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Source: C:\Users\user\Desktop\Bank swift.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Bank swift.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 2FD9904 second address: 2FD990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 2FD9B6E second address: 2FD9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Bank swift.exeMemory allocated: 1750000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeMemory allocated: 5070000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeMemory allocated: 9250000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeMemory allocated: 7660000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeMemory allocated: A250000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeMemory allocated: B250000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeMemory allocated: BB50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeMemory allocated: CB50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeMemory allocated: DB50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_00409AA0 rdtsc 3_2_00409AA0
          Source: C:\Users\user\Desktop\Bank swift.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1825Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8124Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 884Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 866Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeWindow / User API: threadDelayed 9843Jump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeAPI coverage: 1.6 %
          Source: C:\Windows\SysWOW64\cscript.exeAPI coverage: 1.6 %
          Source: C:\Users\user\Desktop\Bank swift.exe TID: 6024Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6496Thread sleep count: 1825 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6496Thread sleep time: -3650000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6496Thread sleep count: 8124 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6496Thread sleep time: -16248000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exe TID: 7104Thread sleep count: 130 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exe TID: 7104Thread sleep time: -260000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exe TID: 7104Thread sleep count: 9843 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exe TID: 7104Thread sleep time: -19686000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_00792674 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,5_2_00792674
          Source: C:\Users\user\Desktop\Bank swift.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000004.00000003.3837680509.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
          Source: explorer.exe, 00000004.00000002.4510303360.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
          Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
          Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000004.00000000.2049993282.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
          Source: explorer.exe, 00000004.00000003.3837680509.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
          Source: explorer.exe, 00000004.00000000.2066032017.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4510303360.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
          Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
          Source: explorer.exe, 00000004.00000000.2049993282.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.4505790397.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Bank swift.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_00409AA0 rdtsc 3_2_00409AA0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0040ACE0 LdrLoadDll,3_2_0040ACE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0078AA82 LoadLibraryW,GetProcAddress,FreeLibrary,5_2_0078AA82
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F4164 mov eax, dword ptr fs:[00000030h]3_2_016F4164
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F4164 mov eax, dword ptr fs:[00000030h]3_2_016F4164
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B4144 mov eax, dword ptr fs:[00000030h]3_2_016B4144
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B4144 mov eax, dword ptr fs:[00000030h]3_2_016B4144
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B4144 mov ecx, dword ptr fs:[00000030h]3_2_016B4144
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B4144 mov eax, dword ptr fs:[00000030h]3_2_016B4144
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B4144 mov eax, dword ptr fs:[00000030h]3_2_016B4144
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B8158 mov eax, dword ptr fs:[00000030h]3_2_016B8158
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01626154 mov eax, dword ptr fs:[00000030h]3_2_01626154
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01626154 mov eax, dword ptr fs:[00000030h]3_2_01626154
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161C156 mov eax, dword ptr fs:[00000030h]3_2_0161C156
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01650124 mov eax, dword ptr fs:[00000030h]3_2_01650124
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h]3_2_016CE10E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE10E mov ecx, dword ptr fs:[00000030h]3_2_016CE10E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h]3_2_016CE10E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h]3_2_016CE10E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE10E mov ecx, dword ptr fs:[00000030h]3_2_016CE10E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h]3_2_016CE10E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h]3_2_016CE10E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE10E mov ecx, dword ptr fs:[00000030h]3_2_016CE10E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE10E mov eax, dword ptr fs:[00000030h]3_2_016CE10E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE10E mov ecx, dword ptr fs:[00000030h]3_2_016CE10E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CA118 mov ecx, dword ptr fs:[00000030h]3_2_016CA118
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CA118 mov eax, dword ptr fs:[00000030h]3_2_016CA118
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CA118 mov eax, dword ptr fs:[00000030h]3_2_016CA118
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CA118 mov eax, dword ptr fs:[00000030h]3_2_016CA118
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E0115 mov eax, dword ptr fs:[00000030h]3_2_016E0115
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F61E5 mov eax, dword ptr fs:[00000030h]3_2_016F61E5
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016501F8 mov eax, dword ptr fs:[00000030h]3_2_016501F8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E61C3 mov eax, dword ptr fs:[00000030h]3_2_016E61C3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E61C3 mov eax, dword ptr fs:[00000030h]3_2_016E61C3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E1D0 mov eax, dword ptr fs:[00000030h]3_2_0169E1D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E1D0 mov eax, dword ptr fs:[00000030h]3_2_0169E1D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E1D0 mov ecx, dword ptr fs:[00000030h]3_2_0169E1D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E1D0 mov eax, dword ptr fs:[00000030h]3_2_0169E1D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E1D0 mov eax, dword ptr fs:[00000030h]3_2_0169E1D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01660185 mov eax, dword ptr fs:[00000030h]3_2_01660185
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016DC188 mov eax, dword ptr fs:[00000030h]3_2_016DC188
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016DC188 mov eax, dword ptr fs:[00000030h]3_2_016DC188
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C4180 mov eax, dword ptr fs:[00000030h]3_2_016C4180
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C4180 mov eax, dword ptr fs:[00000030h]3_2_016C4180
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A019F mov eax, dword ptr fs:[00000030h]3_2_016A019F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A019F mov eax, dword ptr fs:[00000030h]3_2_016A019F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A019F mov eax, dword ptr fs:[00000030h]3_2_016A019F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A019F mov eax, dword ptr fs:[00000030h]3_2_016A019F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161A197 mov eax, dword ptr fs:[00000030h]3_2_0161A197
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161A197 mov eax, dword ptr fs:[00000030h]3_2_0161A197
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161A197 mov eax, dword ptr fs:[00000030h]3_2_0161A197
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164C073 mov eax, dword ptr fs:[00000030h]3_2_0164C073
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01622050 mov eax, dword ptr fs:[00000030h]3_2_01622050
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A6050 mov eax, dword ptr fs:[00000030h]3_2_016A6050
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161A020 mov eax, dword ptr fs:[00000030h]3_2_0161A020
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161C020 mov eax, dword ptr fs:[00000030h]3_2_0161C020
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B6030 mov eax, dword ptr fs:[00000030h]3_2_016B6030
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A4000 mov ecx, dword ptr fs:[00000030h]3_2_016A4000
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h]3_2_016C2000
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h]3_2_016C2000
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h]3_2_016C2000
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h]3_2_016C2000
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h]3_2_016C2000
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h]3_2_016C2000
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h]3_2_016C2000
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C2000 mov eax, dword ptr fs:[00000030h]3_2_016C2000
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163E016 mov eax, dword ptr fs:[00000030h]3_2_0163E016
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163E016 mov eax, dword ptr fs:[00000030h]3_2_0163E016
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163E016 mov eax, dword ptr fs:[00000030h]3_2_0163E016
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163E016 mov eax, dword ptr fs:[00000030h]3_2_0163E016
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0161A0E3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A60E0 mov eax, dword ptr fs:[00000030h]3_2_016A60E0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016280E9 mov eax, dword ptr fs:[00000030h]3_2_016280E9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161C0F0 mov eax, dword ptr fs:[00000030h]3_2_0161C0F0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016620F0 mov ecx, dword ptr fs:[00000030h]3_2_016620F0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A20DE mov eax, dword ptr fs:[00000030h]3_2_016A20DE
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016180A0 mov eax, dword ptr fs:[00000030h]3_2_016180A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B80A8 mov eax, dword ptr fs:[00000030h]3_2_016B80A8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E60B8 mov eax, dword ptr fs:[00000030h]3_2_016E60B8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E60B8 mov ecx, dword ptr fs:[00000030h]3_2_016E60B8
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162208A mov eax, dword ptr fs:[00000030h]3_2_0162208A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C437C mov eax, dword ptr fs:[00000030h]3_2_016C437C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F634F mov eax, dword ptr fs:[00000030h]3_2_016F634F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A2349 mov eax, dword ptr fs:[00000030h]3_2_016A2349
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A035C mov eax, dword ptr fs:[00000030h]3_2_016A035C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A035C mov eax, dword ptr fs:[00000030h]3_2_016A035C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A035C mov eax, dword ptr fs:[00000030h]3_2_016A035C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A035C mov ecx, dword ptr fs:[00000030h]3_2_016A035C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A035C mov eax, dword ptr fs:[00000030h]3_2_016A035C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A035C mov eax, dword ptr fs:[00000030h]3_2_016A035C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EA352 mov eax, dword ptr fs:[00000030h]3_2_016EA352
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C8350 mov ecx, dword ptr fs:[00000030h]3_2_016C8350
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F8324 mov eax, dword ptr fs:[00000030h]3_2_016F8324
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F8324 mov ecx, dword ptr fs:[00000030h]3_2_016F8324
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F8324 mov eax, dword ptr fs:[00000030h]3_2_016F8324
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F8324 mov eax, dword ptr fs:[00000030h]3_2_016F8324
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165A30B mov eax, dword ptr fs:[00000030h]3_2_0165A30B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165A30B mov eax, dword ptr fs:[00000030h]3_2_0165A30B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165A30B mov eax, dword ptr fs:[00000030h]3_2_0165A30B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161C310 mov ecx, dword ptr fs:[00000030h]3_2_0161C310
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01640310 mov ecx, dword ptr fs:[00000030h]3_2_01640310
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h]3_2_016303E9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h]3_2_016303E9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h]3_2_016303E9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h]3_2_016303E9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h]3_2_016303E9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h]3_2_016303E9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h]3_2_016303E9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016303E9 mov eax, dword ptr fs:[00000030h]3_2_016303E9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163E3F0 mov eax, dword ptr fs:[00000030h]3_2_0163E3F0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163E3F0 mov eax, dword ptr fs:[00000030h]3_2_0163E3F0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163E3F0 mov eax, dword ptr fs:[00000030h]3_2_0163E3F0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016563FF mov eax, dword ptr fs:[00000030h]3_2_016563FF
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016DC3CD mov eax, dword ptr fs:[00000030h]3_2_016DC3CD
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h]3_2_0162A3C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h]3_2_0162A3C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h]3_2_0162A3C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h]3_2_0162A3C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h]3_2_0162A3C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A3C0 mov eax, dword ptr fs:[00000030h]3_2_0162A3C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016283C0 mov eax, dword ptr fs:[00000030h]3_2_016283C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016283C0 mov eax, dword ptr fs:[00000030h]3_2_016283C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016283C0 mov eax, dword ptr fs:[00000030h]3_2_016283C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016283C0 mov eax, dword ptr fs:[00000030h]3_2_016283C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A63C0 mov eax, dword ptr fs:[00000030h]3_2_016A63C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE3DB mov eax, dword ptr fs:[00000030h]3_2_016CE3DB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE3DB mov eax, dword ptr fs:[00000030h]3_2_016CE3DB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE3DB mov ecx, dword ptr fs:[00000030h]3_2_016CE3DB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CE3DB mov eax, dword ptr fs:[00000030h]3_2_016CE3DB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C43D4 mov eax, dword ptr fs:[00000030h]3_2_016C43D4
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C43D4 mov eax, dword ptr fs:[00000030h]3_2_016C43D4
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161E388 mov eax, dword ptr fs:[00000030h]3_2_0161E388
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161E388 mov eax, dword ptr fs:[00000030h]3_2_0161E388
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161E388 mov eax, dword ptr fs:[00000030h]3_2_0161E388
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164438F mov eax, dword ptr fs:[00000030h]3_2_0164438F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164438F mov eax, dword ptr fs:[00000030h]3_2_0164438F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01618397 mov eax, dword ptr fs:[00000030h]3_2_01618397
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01618397 mov eax, dword ptr fs:[00000030h]3_2_01618397
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01618397 mov eax, dword ptr fs:[00000030h]3_2_01618397
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01624260 mov eax, dword ptr fs:[00000030h]3_2_01624260
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01624260 mov eax, dword ptr fs:[00000030h]3_2_01624260
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01624260 mov eax, dword ptr fs:[00000030h]3_2_01624260
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161826B mov eax, dword ptr fs:[00000030h]3_2_0161826B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D0274 mov eax, dword ptr fs:[00000030h]3_2_016D0274
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A8243 mov eax, dword ptr fs:[00000030h]3_2_016A8243
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A8243 mov ecx, dword ptr fs:[00000030h]3_2_016A8243
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161A250 mov eax, dword ptr fs:[00000030h]3_2_0161A250
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F625D mov eax, dword ptr fs:[00000030h]3_2_016F625D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01626259 mov eax, dword ptr fs:[00000030h]3_2_01626259
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016DA250 mov eax, dword ptr fs:[00000030h]3_2_016DA250
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016DA250 mov eax, dword ptr fs:[00000030h]3_2_016DA250
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161823B mov eax, dword ptr fs:[00000030h]3_2_0161823B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016302E1 mov eax, dword ptr fs:[00000030h]3_2_016302E1
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016302E1 mov eax, dword ptr fs:[00000030h]3_2_016302E1
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016302E1 mov eax, dword ptr fs:[00000030h]3_2_016302E1
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A2C3 mov eax, dword ptr fs:[00000030h]3_2_0162A2C3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A2C3 mov eax, dword ptr fs:[00000030h]3_2_0162A2C3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A2C3 mov eax, dword ptr fs:[00000030h]3_2_0162A2C3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A2C3 mov eax, dword ptr fs:[00000030h]3_2_0162A2C3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A2C3 mov eax, dword ptr fs:[00000030h]3_2_0162A2C3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F62D6 mov eax, dword ptr fs:[00000030h]3_2_016F62D6
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016302A0 mov eax, dword ptr fs:[00000030h]3_2_016302A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016302A0 mov eax, dword ptr fs:[00000030h]3_2_016302A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B62A0 mov eax, dword ptr fs:[00000030h]3_2_016B62A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B62A0 mov ecx, dword ptr fs:[00000030h]3_2_016B62A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B62A0 mov eax, dword ptr fs:[00000030h]3_2_016B62A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B62A0 mov eax, dword ptr fs:[00000030h]3_2_016B62A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B62A0 mov eax, dword ptr fs:[00000030h]3_2_016B62A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B62A0 mov eax, dword ptr fs:[00000030h]3_2_016B62A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E284 mov eax, dword ptr fs:[00000030h]3_2_0165E284
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E284 mov eax, dword ptr fs:[00000030h]3_2_0165E284
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A0283 mov eax, dword ptr fs:[00000030h]3_2_016A0283
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A0283 mov eax, dword ptr fs:[00000030h]3_2_016A0283
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A0283 mov eax, dword ptr fs:[00000030h]3_2_016A0283
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165656A mov eax, dword ptr fs:[00000030h]3_2_0165656A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165656A mov eax, dword ptr fs:[00000030h]3_2_0165656A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165656A mov eax, dword ptr fs:[00000030h]3_2_0165656A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01628550 mov eax, dword ptr fs:[00000030h]3_2_01628550
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01628550 mov eax, dword ptr fs:[00000030h]3_2_01628550
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630535 mov eax, dword ptr fs:[00000030h]3_2_01630535
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630535 mov eax, dword ptr fs:[00000030h]3_2_01630535
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630535 mov eax, dword ptr fs:[00000030h]3_2_01630535
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630535 mov eax, dword ptr fs:[00000030h]3_2_01630535
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630535 mov eax, dword ptr fs:[00000030h]3_2_01630535
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630535 mov eax, dword ptr fs:[00000030h]3_2_01630535
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E53E mov eax, dword ptr fs:[00000030h]3_2_0164E53E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E53E mov eax, dword ptr fs:[00000030h]3_2_0164E53E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E53E mov eax, dword ptr fs:[00000030h]3_2_0164E53E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E53E mov eax, dword ptr fs:[00000030h]3_2_0164E53E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E53E mov eax, dword ptr fs:[00000030h]3_2_0164E53E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B6500 mov eax, dword ptr fs:[00000030h]3_2_016B6500
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h]3_2_016F4500
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h]3_2_016F4500
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h]3_2_016F4500
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h]3_2_016F4500
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h]3_2_016F4500
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h]3_2_016F4500
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F4500 mov eax, dword ptr fs:[00000030h]3_2_016F4500
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016225E0 mov eax, dword ptr fs:[00000030h]3_2_016225E0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h]3_2_0164E5E7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h]3_2_0164E5E7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h]3_2_0164E5E7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h]3_2_0164E5E7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h]3_2_0164E5E7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h]3_2_0164E5E7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h]3_2_0164E5E7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E5E7 mov eax, dword ptr fs:[00000030h]3_2_0164E5E7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165C5ED mov eax, dword ptr fs:[00000030h]3_2_0165C5ED
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165C5ED mov eax, dword ptr fs:[00000030h]3_2_0165C5ED
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E5CF mov eax, dword ptr fs:[00000030h]3_2_0165E5CF
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E5CF mov eax, dword ptr fs:[00000030h]3_2_0165E5CF
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016265D0 mov eax, dword ptr fs:[00000030h]3_2_016265D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165A5D0 mov eax, dword ptr fs:[00000030h]3_2_0165A5D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165A5D0 mov eax, dword ptr fs:[00000030h]3_2_0165A5D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A05A7 mov eax, dword ptr fs:[00000030h]3_2_016A05A7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A05A7 mov eax, dword ptr fs:[00000030h]3_2_016A05A7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A05A7 mov eax, dword ptr fs:[00000030h]3_2_016A05A7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016445B1 mov eax, dword ptr fs:[00000030h]3_2_016445B1
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016445B1 mov eax, dword ptr fs:[00000030h]3_2_016445B1
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01622582 mov eax, dword ptr fs:[00000030h]3_2_01622582
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01622582 mov ecx, dword ptr fs:[00000030h]3_2_01622582
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01654588 mov eax, dword ptr fs:[00000030h]3_2_01654588
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E59C mov eax, dword ptr fs:[00000030h]3_2_0165E59C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AC460 mov ecx, dword ptr fs:[00000030h]3_2_016AC460
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164A470 mov eax, dword ptr fs:[00000030h]3_2_0164A470
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164A470 mov eax, dword ptr fs:[00000030h]3_2_0164A470
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164A470 mov eax, dword ptr fs:[00000030h]3_2_0164A470
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h]3_2_0165E443
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h]3_2_0165E443
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h]3_2_0165E443
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h]3_2_0165E443
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h]3_2_0165E443
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h]3_2_0165E443
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h]3_2_0165E443
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165E443 mov eax, dword ptr fs:[00000030h]3_2_0165E443
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016DA456 mov eax, dword ptr fs:[00000030h]3_2_016DA456
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161645D mov eax, dword ptr fs:[00000030h]3_2_0161645D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164245A mov eax, dword ptr fs:[00000030h]3_2_0164245A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161E420 mov eax, dword ptr fs:[00000030h]3_2_0161E420
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161E420 mov eax, dword ptr fs:[00000030h]3_2_0161E420
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161E420 mov eax, dword ptr fs:[00000030h]3_2_0161E420
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161C427 mov eax, dword ptr fs:[00000030h]3_2_0161C427
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h]3_2_016A6420
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h]3_2_016A6420
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h]3_2_016A6420
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h]3_2_016A6420
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h]3_2_016A6420
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h]3_2_016A6420
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A6420 mov eax, dword ptr fs:[00000030h]3_2_016A6420
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165A430 mov eax, dword ptr fs:[00000030h]3_2_0165A430
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01658402 mov eax, dword ptr fs:[00000030h]3_2_01658402
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01658402 mov eax, dword ptr fs:[00000030h]3_2_01658402
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01658402 mov eax, dword ptr fs:[00000030h]3_2_01658402
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016204E5 mov ecx, dword ptr fs:[00000030h]3_2_016204E5
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016264AB mov eax, dword ptr fs:[00000030h]3_2_016264AB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016544B0 mov ecx, dword ptr fs:[00000030h]3_2_016544B0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AA4B0 mov eax, dword ptr fs:[00000030h]3_2_016AA4B0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016DA49A mov eax, dword ptr fs:[00000030h]3_2_016DA49A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01628770 mov eax, dword ptr fs:[00000030h]3_2_01628770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630770 mov eax, dword ptr fs:[00000030h]3_2_01630770
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165674D mov esi, dword ptr fs:[00000030h]3_2_0165674D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165674D mov eax, dword ptr fs:[00000030h]3_2_0165674D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165674D mov eax, dword ptr fs:[00000030h]3_2_0165674D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01620750 mov eax, dword ptr fs:[00000030h]3_2_01620750
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662750 mov eax, dword ptr fs:[00000030h]3_2_01662750
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662750 mov eax, dword ptr fs:[00000030h]3_2_01662750
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AE75D mov eax, dword ptr fs:[00000030h]3_2_016AE75D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A4755 mov eax, dword ptr fs:[00000030h]3_2_016A4755
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165C720 mov eax, dword ptr fs:[00000030h]3_2_0165C720
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165C720 mov eax, dword ptr fs:[00000030h]3_2_0165C720
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165273C mov eax, dword ptr fs:[00000030h]3_2_0165273C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165273C mov ecx, dword ptr fs:[00000030h]3_2_0165273C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165273C mov eax, dword ptr fs:[00000030h]3_2_0165273C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169C730 mov eax, dword ptr fs:[00000030h]3_2_0169C730
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165C700 mov eax, dword ptr fs:[00000030h]3_2_0165C700
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01620710 mov eax, dword ptr fs:[00000030h]3_2_01620710
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01650710 mov eax, dword ptr fs:[00000030h]3_2_01650710
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016427ED mov eax, dword ptr fs:[00000030h]3_2_016427ED
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016427ED mov eax, dword ptr fs:[00000030h]3_2_016427ED
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016427ED mov eax, dword ptr fs:[00000030h]3_2_016427ED
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AE7E1 mov eax, dword ptr fs:[00000030h]3_2_016AE7E1
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016247FB mov eax, dword ptr fs:[00000030h]3_2_016247FB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016247FB mov eax, dword ptr fs:[00000030h]3_2_016247FB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162C7C0 mov eax, dword ptr fs:[00000030h]3_2_0162C7C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A07C3 mov eax, dword ptr fs:[00000030h]3_2_016A07C3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016207AF mov eax, dword ptr fs:[00000030h]3_2_016207AF
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D47A0 mov eax, dword ptr fs:[00000030h]3_2_016D47A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C678E mov eax, dword ptr fs:[00000030h]3_2_016C678E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E866E mov eax, dword ptr fs:[00000030h]3_2_016E866E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E866E mov eax, dword ptr fs:[00000030h]3_2_016E866E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165A660 mov eax, dword ptr fs:[00000030h]3_2_0165A660
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165A660 mov eax, dword ptr fs:[00000030h]3_2_0165A660
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01652674 mov eax, dword ptr fs:[00000030h]3_2_01652674
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163C640 mov eax, dword ptr fs:[00000030h]3_2_0163C640
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163E627 mov eax, dword ptr fs:[00000030h]3_2_0163E627
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01656620 mov eax, dword ptr fs:[00000030h]3_2_01656620
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01658620 mov eax, dword ptr fs:[00000030h]3_2_01658620
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162262C mov eax, dword ptr fs:[00000030h]3_2_0162262C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E609 mov eax, dword ptr fs:[00000030h]3_2_0169E609
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163260B mov eax, dword ptr fs:[00000030h]3_2_0163260B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163260B mov eax, dword ptr fs:[00000030h]3_2_0163260B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163260B mov eax, dword ptr fs:[00000030h]3_2_0163260B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163260B mov eax, dword ptr fs:[00000030h]3_2_0163260B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163260B mov eax, dword ptr fs:[00000030h]3_2_0163260B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163260B mov eax, dword ptr fs:[00000030h]3_2_0163260B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0163260B mov eax, dword ptr fs:[00000030h]3_2_0163260B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01662619 mov eax, dword ptr fs:[00000030h]3_2_01662619
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E6F2 mov eax, dword ptr fs:[00000030h]3_2_0169E6F2
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E6F2 mov eax, dword ptr fs:[00000030h]3_2_0169E6F2
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E6F2 mov eax, dword ptr fs:[00000030h]3_2_0169E6F2
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E6F2 mov eax, dword ptr fs:[00000030h]3_2_0169E6F2
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A06F1 mov eax, dword ptr fs:[00000030h]3_2_016A06F1
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A06F1 mov eax, dword ptr fs:[00000030h]3_2_016A06F1
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165A6C7 mov ebx, dword ptr fs:[00000030h]3_2_0165A6C7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165A6C7 mov eax, dword ptr fs:[00000030h]3_2_0165A6C7
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165C6A6 mov eax, dword ptr fs:[00000030h]3_2_0165C6A6
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016566B0 mov eax, dword ptr fs:[00000030h]3_2_016566B0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01624690 mov eax, dword ptr fs:[00000030h]3_2_01624690
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01624690 mov eax, dword ptr fs:[00000030h]3_2_01624690
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01646962 mov eax, dword ptr fs:[00000030h]3_2_01646962
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01646962 mov eax, dword ptr fs:[00000030h]3_2_01646962
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01646962 mov eax, dword ptr fs:[00000030h]3_2_01646962
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0166096E mov eax, dword ptr fs:[00000030h]3_2_0166096E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0166096E mov edx, dword ptr fs:[00000030h]3_2_0166096E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0166096E mov eax, dword ptr fs:[00000030h]3_2_0166096E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C4978 mov eax, dword ptr fs:[00000030h]3_2_016C4978
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C4978 mov eax, dword ptr fs:[00000030h]3_2_016C4978
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AC97C mov eax, dword ptr fs:[00000030h]3_2_016AC97C
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A0946 mov eax, dword ptr fs:[00000030h]3_2_016A0946
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F4940 mov eax, dword ptr fs:[00000030h]3_2_016F4940
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A892A mov eax, dword ptr fs:[00000030h]3_2_016A892A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B892B mov eax, dword ptr fs:[00000030h]3_2_016B892B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E908 mov eax, dword ptr fs:[00000030h]3_2_0169E908
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169E908 mov eax, dword ptr fs:[00000030h]3_2_0169E908
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AC912 mov eax, dword ptr fs:[00000030h]3_2_016AC912
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01618918 mov eax, dword ptr fs:[00000030h]3_2_01618918
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01618918 mov eax, dword ptr fs:[00000030h]3_2_01618918
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AE9E0 mov eax, dword ptr fs:[00000030h]3_2_016AE9E0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016529F9 mov eax, dword ptr fs:[00000030h]3_2_016529F9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016529F9 mov eax, dword ptr fs:[00000030h]3_2_016529F9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B69C0 mov eax, dword ptr fs:[00000030h]3_2_016B69C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h]3_2_0162A9D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h]3_2_0162A9D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h]3_2_0162A9D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h]3_2_0162A9D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h]3_2_0162A9D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0162A9D0 mov eax, dword ptr fs:[00000030h]3_2_0162A9D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016549D0 mov eax, dword ptr fs:[00000030h]3_2_016549D0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EA9D3 mov eax, dword ptr fs:[00000030h]3_2_016EA9D3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016329A0 mov eax, dword ptr fs:[00000030h]3_2_016329A0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016209AD mov eax, dword ptr fs:[00000030h]3_2_016209AD
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016209AD mov eax, dword ptr fs:[00000030h]3_2_016209AD
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A89B3 mov esi, dword ptr fs:[00000030h]3_2_016A89B3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A89B3 mov eax, dword ptr fs:[00000030h]3_2_016A89B3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016A89B3 mov eax, dword ptr fs:[00000030h]3_2_016A89B3
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AE872 mov eax, dword ptr fs:[00000030h]3_2_016AE872
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AE872 mov eax, dword ptr fs:[00000030h]3_2_016AE872
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B6870 mov eax, dword ptr fs:[00000030h]3_2_016B6870
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B6870 mov eax, dword ptr fs:[00000030h]3_2_016B6870
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01632840 mov ecx, dword ptr fs:[00000030h]3_2_01632840
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01650854 mov eax, dword ptr fs:[00000030h]3_2_01650854
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01624859 mov eax, dword ptr fs:[00000030h]3_2_01624859
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01624859 mov eax, dword ptr fs:[00000030h]3_2_01624859
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01642835 mov eax, dword ptr fs:[00000030h]3_2_01642835
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01642835 mov eax, dword ptr fs:[00000030h]3_2_01642835
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01642835 mov eax, dword ptr fs:[00000030h]3_2_01642835
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01642835 mov ecx, dword ptr fs:[00000030h]3_2_01642835
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01642835 mov eax, dword ptr fs:[00000030h]3_2_01642835
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01642835 mov eax, dword ptr fs:[00000030h]3_2_01642835
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165A830 mov eax, dword ptr fs:[00000030h]3_2_0165A830
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C483A mov eax, dword ptr fs:[00000030h]3_2_016C483A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C483A mov eax, dword ptr fs:[00000030h]3_2_016C483A
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AC810 mov eax, dword ptr fs:[00000030h]3_2_016AC810
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EA8E4 mov eax, dword ptr fs:[00000030h]3_2_016EA8E4
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165C8F9 mov eax, dword ptr fs:[00000030h]3_2_0165C8F9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165C8F9 mov eax, dword ptr fs:[00000030h]3_2_0165C8F9
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164E8C0 mov eax, dword ptr fs:[00000030h]3_2_0164E8C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F08C0 mov eax, dword ptr fs:[00000030h]3_2_016F08C0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01620887 mov eax, dword ptr fs:[00000030h]3_2_01620887
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016AC89D mov eax, dword ptr fs:[00000030h]3_2_016AC89D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0161CB7E mov eax, dword ptr fs:[00000030h]3_2_0161CB7E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D4B4B mov eax, dword ptr fs:[00000030h]3_2_016D4B4B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D4B4B mov eax, dword ptr fs:[00000030h]3_2_016D4B4B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B6B40 mov eax, dword ptr fs:[00000030h]3_2_016B6B40
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016B6B40 mov eax, dword ptr fs:[00000030h]3_2_016B6B40
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016EAB40 mov eax, dword ptr fs:[00000030h]3_2_016EAB40
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016C8B42 mov eax, dword ptr fs:[00000030h]3_2_016C8B42
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01618B50 mov eax, dword ptr fs:[00000030h]3_2_01618B50
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F2B57 mov eax, dword ptr fs:[00000030h]3_2_016F2B57
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F2B57 mov eax, dword ptr fs:[00000030h]3_2_016F2B57
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F2B57 mov eax, dword ptr fs:[00000030h]3_2_016F2B57
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F2B57 mov eax, dword ptr fs:[00000030h]3_2_016F2B57
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CEB50 mov eax, dword ptr fs:[00000030h]3_2_016CEB50
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164EB20 mov eax, dword ptr fs:[00000030h]3_2_0164EB20
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164EB20 mov eax, dword ptr fs:[00000030h]3_2_0164EB20
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E8B28 mov eax, dword ptr fs:[00000030h]3_2_016E8B28
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016E8B28 mov eax, dword ptr fs:[00000030h]3_2_016E8B28
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016F4B00 mov eax, dword ptr fs:[00000030h]3_2_016F4B00
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h]3_2_0169EB1D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h]3_2_0169EB1D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h]3_2_0169EB1D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h]3_2_0169EB1D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h]3_2_0169EB1D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h]3_2_0169EB1D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h]3_2_0169EB1D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h]3_2_0169EB1D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169EB1D mov eax, dword ptr fs:[00000030h]3_2_0169EB1D
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01628BF0 mov eax, dword ptr fs:[00000030h]3_2_01628BF0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01628BF0 mov eax, dword ptr fs:[00000030h]3_2_01628BF0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01628BF0 mov eax, dword ptr fs:[00000030h]3_2_01628BF0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164EBFC mov eax, dword ptr fs:[00000030h]3_2_0164EBFC
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016ACBF0 mov eax, dword ptr fs:[00000030h]3_2_016ACBF0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01640BCB mov eax, dword ptr fs:[00000030h]3_2_01640BCB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01640BCB mov eax, dword ptr fs:[00000030h]3_2_01640BCB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01640BCB mov eax, dword ptr fs:[00000030h]3_2_01640BCB
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01620BCD mov eax, dword ptr fs:[00000030h]3_2_01620BCD
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01620BCD mov eax, dword ptr fs:[00000030h]3_2_01620BCD
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01620BCD mov eax, dword ptr fs:[00000030h]3_2_01620BCD
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CEBD0 mov eax, dword ptr fs:[00000030h]3_2_016CEBD0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630BBE mov eax, dword ptr fs:[00000030h]3_2_01630BBE
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630BBE mov eax, dword ptr fs:[00000030h]3_2_01630BBE
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D4BB0 mov eax, dword ptr fs:[00000030h]3_2_016D4BB0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016D4BB0 mov eax, dword ptr fs:[00000030h]3_2_016D4BB0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165CA6F mov eax, dword ptr fs:[00000030h]3_2_0165CA6F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165CA6F mov eax, dword ptr fs:[00000030h]3_2_0165CA6F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165CA6F mov eax, dword ptr fs:[00000030h]3_2_0165CA6F
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016CEA60 mov eax, dword ptr fs:[00000030h]3_2_016CEA60
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169CA72 mov eax, dword ptr fs:[00000030h]3_2_0169CA72
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0169CA72 mov eax, dword ptr fs:[00000030h]3_2_0169CA72
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h]3_2_01626A50
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h]3_2_01626A50
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h]3_2_01626A50
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h]3_2_01626A50
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h]3_2_01626A50
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h]3_2_01626A50
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01626A50 mov eax, dword ptr fs:[00000030h]3_2_01626A50
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630A5B mov eax, dword ptr fs:[00000030h]3_2_01630A5B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01630A5B mov eax, dword ptr fs:[00000030h]3_2_01630A5B
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165CA24 mov eax, dword ptr fs:[00000030h]3_2_0165CA24
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0164EA2E mov eax, dword ptr fs:[00000030h]3_2_0164EA2E
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01644A35 mov eax, dword ptr fs:[00000030h]3_2_01644A35
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01644A35 mov eax, dword ptr fs:[00000030h]3_2_01644A35
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165CA38 mov eax, dword ptr fs:[00000030h]3_2_0165CA38
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_016ACA11 mov eax, dword ptr fs:[00000030h]3_2_016ACA11
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165AAEE mov eax, dword ptr fs:[00000030h]3_2_0165AAEE
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_0165AAEE mov eax, dword ptr fs:[00000030h]3_2_0165AAEE
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01676ACC mov eax, dword ptr fs:[00000030h]3_2_01676ACC
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01676ACC mov eax, dword ptr fs:[00000030h]3_2_01676ACC
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01676ACC mov eax, dword ptr fs:[00000030h]3_2_01676ACC
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01620AD0 mov eax, dword ptr fs:[00000030h]3_2_01620AD0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01654AD0 mov eax, dword ptr fs:[00000030h]3_2_01654AD0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01654AD0 mov eax, dword ptr fs:[00000030h]3_2_01654AD0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01628AA0 mov eax, dword ptr fs:[00000030h]3_2_01628AA0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01628AA0 mov eax, dword ptr fs:[00000030h]3_2_01628AA0
          Source: C:\Users\user\Desktop\Bank swift.exeCode function: 3_2_01676AA4 mov eax, dword ptr fs:[00000030h]3_2_01676AA4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0078647E GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,5_2_0078647E
          Source: C:\Users\user\Desktop\Bank swift.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0078DCAA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0078DCAA
          Source: C:\Users\user\Desktop\Bank swift.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\Desktop\Bank swift.exeNtQueueApcThread: Indirect: 0x117A4F2Jump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeNtClose: Indirect: 0x117A56C
          Source: C:\Users\user\Desktop\Bank swift.exeMemory written: C:\Users\user\Desktop\Bank swift.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 780000Jump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeProcess created: C:\Users\user\Desktop\Bank swift.exe "C:\Users\user\Desktop\Bank swift.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Bank swift.exe"Jump to behavior
          Source: explorer.exe, 00000004.00000002.4510303360.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
          Source: explorer.exe, 00000004.00000000.2050547322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4502745785.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.2050547322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2063341821.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4502745785.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.2050547322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4502745785.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.2050547322.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4502745785.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000002.4501873324.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2049993282.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
          Source: C:\Windows\SysWOW64\cscript.exeCode function: GetUserDefaultLCID,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,5_2_0078AADC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: GetLocaleInfoW,wcsncmp,5_2_00797E85
          Source: C:\Windows\SysWOW64\cscript.exeCode function: GetLocaleInfoW,5_2_0078AB35
          Source: C:\Users\user\Desktop\Bank swift.exeQueries volume information: C:\Users\user\Desktop\Bank swift.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Bank swift.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0078DC00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_0078DC00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_00787490 RegOpenKeyExW,RegOpenKeyExW,SysFreeString,RegCloseKey,RegCloseKey,WideCharToMultiByte,__alloca_probe_16,WideCharToMultiByte,RegOpenKeyExA,GetLastError,RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,5_2_00787490
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0078A9C0 InitializeCriticalSection,GetVersionExA,5_2_0078A9C0
          Source: C:\Users\user\Desktop\Bank swift.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 3.2.Bank swift.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Bank swift.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bank swift.exe.4b48130.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bank swift.exe.4ad8310.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_00795880 CreateBindCtx,MkParseDisplayName,5_2_00795880
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0078CD6C CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx,5_2_0078CD6C
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API
          1
          DLL Side-Loading
          512
          Process Injection
          1
          Masquerading
          OS Credential Dumping1
          System Time Discovery
          Remote Services1
          Archive Collected Data
          1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules
          Boot or Logon Initialization Scripts1
          Abuse Elevation Control Mechanism
          1
          Disable or Modify Tools
          LSASS Memory231
          Security Software Discovery
          Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading
          41
          Virtualization/Sandbox Evasion
          Security Account Manager2
          Process Discovery
          SMB/Windows Admin SharesData from Network Shared Drive11
          Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook512
          Process Injection
          NTDS41
          Virtualization/Sandbox Evasion
          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information
          LSA Secrets1
          Application Window Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism
          Cached Domain Credentials1
          Account Discovery
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information
          DCSync1
          System Owner/User Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
          Software Packing
          Proc Filesystem1
          File and Directory Discovery
          Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading
          /etc/passwd and /etc/shadow224
          System Information Discovery
          Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          Bank swift.exe47%ReversingLabsWin32.Trojan.Generic
          Bank swift.exe100%Joe Sandbox ML
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          https://powerpoint.office.comcember0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
          https://outlook.com0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          https://api.msn.com/0%URL Reputationsafe
          http://crl.v0%URL Reputationsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          www.newordforpurpose.info
          unknown
          unknowntrue
            unknown
            www.39474.club
            unknown
            unknowntrue
              unknown
              www.7732.club
              unknown
              unknowntrue
                unknown
                www.itygatehousing.app
                unknown
                unknowntrue
                  unknown
                  www.ehills.shop
                  unknown
                  unknowntrue
                    unknown
                    www.araghospitality.net
                    unknown
                    unknowntrue
                      unknown
                      www.ntermoney24cad.homes
                      unknown
                      unknowntrue
                        unknown
                        www.ransportationwlsltpro.top
                        unknown
                        unknowntrue
                          unknown
                          www.erkakasrumah.online
                          unknown
                          unknowntrue
                            unknown
                            www.teamgame-mod.net
                            unknown
                            unknowntrue
                              unknown
                              www.tmgl.bond
                              unknown
                              unknowntrue
                                unknown
                                NameMaliciousAntivirus DetectionReputation
                                www.ehills.shop/m25s/true
                                  unknown
                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.erkakasrumah.online/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                    unknown
                                    https://word.office.comonexplorer.exe, 00000004.00000002.4510303360.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                      unknown
                                      http://www.52006.club/m25s/jexplorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                        unknown
                                        http://www.39474.clubReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                          unknown
                                          http://www.ottah.studio/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                            unknown
                                            http://www.ransportationwlsltpro.top/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                              unknown
                                              http://www.ntermoney24cad.homes/m25s/www.ransportationwlsltpro.topexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                unknown
                                                https://powerpoint.office.comcemberexplorer.exe, 00000004.00000000.2069010894.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4514503769.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.ransportationwlsltpro.topReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  unknown
                                                  http://www.newordforpurpose.info/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    unknown
                                                    http://www.ax-th-6011838.fyiexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      unknown
                                                      https://excel.office.comexplorer.exe, 00000004.00000002.4510303360.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.ottah.studio/m25s/www.52006.clubexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        unknown
                                                        http://schemas.microexplorer.exe, 00000004.00000000.2065155899.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4508338906.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2065185621.0000000008890000.00000002.00000001.00040000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.39474.clubexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          unknown
                                                          http://www.ax-th-6011838.fyi/m25s/www.ottah.studioexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            unknown
                                                            http://www.xewaov.xyzexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              unknown
                                                              http://www.ransportationwlsltpro.top/m25s/www.olnacasinotcs14.topexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                unknown
                                                                http://www.ehills.shopexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  unknown
                                                                  http://www.teamgame-mod.netexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    unknown
                                                                    http://www.ottah.studioReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      unknown
                                                                      http://www.itygatehousing.appReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        unknown
                                                                        http://www.itygatehousing.app/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          unknown
                                                                          http://www.52006.club/m25s/Aexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            unknown
                                                                            http://www.araghospitality.netexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              unknown
                                                                              http://www.ehills.shop/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                unknown
                                                                                http://www.newordforpurpose.infoexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  unknown
                                                                                  https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000004.00000002.4514503769.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3833545516.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098917447.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2069010894.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://www.erkakasrumah.onlineReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    unknown
                                                                                    http://www.xewaov.xyz/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      unknown
                                                                                      http://www.teamgame-mod.netReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        unknown
                                                                                        http://www.ehills.shop/m25s/www.teamgame-mod.netexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          unknown
                                                                                          https://wns.windows.com/)sexplorer.exe, 00000004.00000002.4510303360.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            unknown
                                                                                            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.2069825453.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              unknown
                                                                                              http://www.teamgame-mod.net/m25s/www.araghospitality.netexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                unknown
                                                                                                http://www.7732.club/m25s/www.ehills.shopexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  unknown
                                                                                                  http://www.olnacasinotcs14.top/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    unknown
                                                                                                    http://www.teamgame-mod.net/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      unknown
                                                                                                      http://www.tmgl.bondexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        unknown
                                                                                                        http://www.ax-th-6011838.fyi/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          unknown
                                                                                                          http://www.itygatehousing.appexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            unknown
                                                                                                            http://www.7732.clubReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              unknown
                                                                                                              http://www.olnacasinotcs14.topReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                unknown
                                                                                                                http://www.tmgl.bondReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  unknown
                                                                                                                  http://www.xewaov.xyzReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    unknown
                                                                                                                    http://www.araghospitality.netReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      unknown
                                                                                                                      http://www.ehills.shopReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        unknown
                                                                                                                        http://www.erkakasrumah.online/m25s/www.7732.clubexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          unknown
                                                                                                                          http://www.39474.club/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            unknown
                                                                                                                            http://www.tmgl.bond/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              unknown
                                                                                                                              https://outlook.comexplorer.exe, 00000004.00000002.4510303360.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              unknown
                                                                                                                              http://www.39474.club/m25s/www.xewaov.xyzexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                unknown
                                                                                                                                http://www.ottah.studioexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  unknown
                                                                                                                                  http://www.ax-th-6011838.fyiReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    unknown
                                                                                                                                    http://www.52006.clubexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      unknown
                                                                                                                                      http://www.itygatehousing.app/m25s/www.erkakasrumah.onlineexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        unknown
                                                                                                                                        http://www.tmgl.bond/m25s/www.newordforpurpose.infoexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          unknown
                                                                                                                                          http://www.ntermoney24cad.homesexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            unknown
                                                                                                                                            http://www.olnacasinotcs14.top/m25s/www.ax-th-6011838.fyiexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              unknown
                                                                                                                                              https://android.notify.windows.com/iOSexplorer.exe, 00000004.00000000.2063621463.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3099874742.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4505790397.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3837680509.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              http://www.52006.club/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                unknown
                                                                                                                                                http://www.olnacasinotcs14.topexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  unknown
                                                                                                                                                  http://www.xewaov.xyz/m25s/www.itygatehousing.appexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    unknown
                                                                                                                                                    http://www.araghospitality.net/m25s/www.ntermoney24cad.homesexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      unknown
                                                                                                                                                      http://www.ransportationwlsltpro.topexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        unknown
                                                                                                                                                        https://api.msn.com/explorer.exe, 00000004.00000002.4510303360.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2066032017.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        unknown
                                                                                                                                                        http://www.araghospitality.net/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          unknown
                                                                                                                                                          http://www.7732.clubexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            unknown
                                                                                                                                                            http://www.erkakasrumah.onlineexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              unknown
                                                                                                                                                              http://www.ntermoney24cad.homesReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                unknown
                                                                                                                                                                http://crl.vexplorer.exe, 00000004.00000002.4501873324.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2049993282.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                unknown
                                                                                                                                                                http://www.52006.clubReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  unknown
                                                                                                                                                                  http://www.newordforpurpose.info/m25s/www.39474.clubexplorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    unknown
                                                                                                                                                                    http://www.7732.club/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      unknown
                                                                                                                                                                      http://www.newordforpurpose.infoReferer:explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        unknown
                                                                                                                                                                        http://www.ntermoney24cad.homes/m25s/explorer.exe, 00000004.00000002.4503493727.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3098868617.0000000003542000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          unknown
                                                                                                                                                                          No contacted IP infos
                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                          Analysis ID:1540335
                                                                                                                                                                          Start date and time:2024-10-23 17:22:23 +02:00
                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                          Overall analysis duration:0h 11m 8s
                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                          Report type:full
                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                          Number of analysed new started processes analysed:9
                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                          Number of injected processes analysed:1
                                                                                                                                                                          Technologies:
                                                                                                                                                                          • HCA enabled
                                                                                                                                                                          • EGA enabled
                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                          Sample name:Bank swift.exe
                                                                                                                                                                          Detection:MAL
                                                                                                                                                                          Classification:mal100.troj.evad.winEXE@303/1@11/0
                                                                                                                                                                          EGA Information:
                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                          HCA Information:
                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                          • Number of executed functions: 128
                                                                                                                                                                          • Number of non-executed functions: 318
                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                          • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                          • VT rate limit hit for: Bank swift.exe
                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                          11:23:13API Interceptor1x Sleep call for process: Bank swift.exe modified
                                                                                                                                                                          11:23:22API Interceptor7048335x Sleep call for process: explorer.exe modified
                                                                                                                                                                          11:23:57API Interceptor6362396x Sleep call for process: cscript.exe modified
                                                                                                                                                                          No context
                                                                                                                                                                          No context
                                                                                                                                                                          No context
                                                                                                                                                                          No context
                                                                                                                                                                          No context
                                                                                                                                                                          Process:C:\Users\user\Desktop\Bank swift.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1216
                                                                                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                          Entropy (8bit):7.642674799866492
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                          File name:Bank swift.exe
                                                                                                                                                                          File size:717'312 bytes
                                                                                                                                                                          MD5:a9a37483725640f15287ebad5eddfabf
                                                                                                                                                                          SHA1:9f254db4527381e6496df48b5bf1c3f022cb704b
                                                                                                                                                                          SHA256:7485c7b439341ddefbc3a27c36fd79acd5bad67aed05e9ccdaf7689a6d71ab23
                                                                                                                                                                          SHA512:1334465075a31758c44ddcb2f61861214e6566d98a592711d860433b05112c510e25595c69afc9c8751614074a5e232391c2faff63ad88fbd93bea5c7b818cae
                                                                                                                                                                          SSDEEP:12288:SiBxGmRYmsyr7ZcO43JyvhimQ9f7dZb2JkaUE8T/gqGF/I9W:SiBx5YmVcO4ZyvhimQ9pZaJd8jSRIw
                                                                                                                                                                          TLSH:F2E4BED03B367729DEA85A749619DDB993F21968B004FAF25ADC3B87319D3109E0CF12
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ... ....@.. .......................`............@................................
                                                                                                                                                                          Icon Hash:00928e8e8686b000
                                                                                                                                                                          Entrypoint:0x4b0596
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x6718AEBA [Wed Oct 23 08:07:22 2024 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:4
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:4
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                                                                          Instruction
                                                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb05430x4f.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x63c.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xacf3c0x54.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x20000xae59c0xae6002565dee60bbdea66ea1d98dcfafc2034False0.8394923275089605data7.6517904049016785IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rsrc0xb20000x63c0x800c249378a60a95b79cf4a030e7fdaa945False0.337890625data3.4814477725287873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .reloc0xb40000xc0x200371812ac03e0b566696af2ed35edf6feFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          RT_VERSION0xb20900x3acdata0.4148936170212766
                                                                                                                                                                          RT_MANIFEST0xb244c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                                                                                                                          DLLImport
                                                                                                                                                                          mscoree.dll_CorExeMain
                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Oct 23, 2024 17:23:51.331111908 CEST5880153192.168.2.51.1.1.1
                                                                                                                                                                          Oct 23, 2024 17:23:51.342884064 CEST53588011.1.1.1192.168.2.5
                                                                                                                                                                          Oct 23, 2024 17:24:11.330457926 CEST5675053192.168.2.51.1.1.1
                                                                                                                                                                          Oct 23, 2024 17:24:11.346143961 CEST53567501.1.1.1192.168.2.5
                                                                                                                                                                          Oct 23, 2024 17:24:31.927434921 CEST6287953192.168.2.51.1.1.1
                                                                                                                                                                          Oct 23, 2024 17:24:31.939230919 CEST53628791.1.1.1192.168.2.5
                                                                                                                                                                          Oct 23, 2024 17:25:13.707437992 CEST5418453192.168.2.51.1.1.1
                                                                                                                                                                          Oct 23, 2024 17:25:13.742898941 CEST53541841.1.1.1192.168.2.5
                                                                                                                                                                          Oct 23, 2024 17:25:34.959952116 CEST5889853192.168.2.51.1.1.1
                                                                                                                                                                          Oct 23, 2024 17:25:34.970336914 CEST53588981.1.1.1192.168.2.5
                                                                                                                                                                          Oct 23, 2024 17:25:55.877341032 CEST6010753192.168.2.51.1.1.1
                                                                                                                                                                          Oct 23, 2024 17:25:55.887193918 CEST53601071.1.1.1192.168.2.5
                                                                                                                                                                          Oct 23, 2024 17:26:16.317172050 CEST5360053192.168.2.51.1.1.1
                                                                                                                                                                          Oct 23, 2024 17:26:16.329062939 CEST53536001.1.1.1192.168.2.5
                                                                                                                                                                          Oct 23, 2024 17:26:37.083448887 CEST6214353192.168.2.51.1.1.1
                                                                                                                                                                          Oct 23, 2024 17:26:37.094237089 CEST53621431.1.1.1192.168.2.5
                                                                                                                                                                          Oct 23, 2024 17:26:57.721359015 CEST5129053192.168.2.51.1.1.1
                                                                                                                                                                          Oct 23, 2024 17:26:57.754870892 CEST53512901.1.1.1192.168.2.5
                                                                                                                                                                          Oct 23, 2024 17:27:18.283685923 CEST5111453192.168.2.51.1.1.1
                                                                                                                                                                          Oct 23, 2024 17:27:18.294787884 CEST53511141.1.1.1192.168.2.5
                                                                                                                                                                          Oct 23, 2024 17:27:39.705245018 CEST4977153192.168.2.51.1.1.1
                                                                                                                                                                          Oct 23, 2024 17:27:39.794622898 CEST53497711.1.1.1192.168.2.5
                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                          Oct 23, 2024 17:23:51.331111908 CEST192.168.2.51.1.1.10x6a62Standard query (0)www.tmgl.bondA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:24:11.330457926 CEST192.168.2.51.1.1.10x1a22Standard query (0)www.newordforpurpose.infoA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:24:31.927434921 CEST192.168.2.51.1.1.10x3ceeStandard query (0)www.39474.clubA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:25:13.707437992 CEST192.168.2.51.1.1.10x36cbStandard query (0)www.itygatehousing.appA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:25:34.959952116 CEST192.168.2.51.1.1.10x7950Standard query (0)www.erkakasrumah.onlineA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:25:55.877341032 CEST192.168.2.51.1.1.10x9e20Standard query (0)www.7732.clubA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:26:16.317172050 CEST192.168.2.51.1.1.10xcd83Standard query (0)www.ehills.shopA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:26:37.083448887 CEST192.168.2.51.1.1.10xfdbdStandard query (0)www.teamgame-mod.netA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:26:57.721359015 CEST192.168.2.51.1.1.10xc90dStandard query (0)www.araghospitality.netA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:27:18.283685923 CEST192.168.2.51.1.1.10x4498Standard query (0)www.ntermoney24cad.homesA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:27:39.705245018 CEST192.168.2.51.1.1.10x70aaStandard query (0)www.ransportationwlsltpro.topA (IP address)IN (0x0001)false
                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                          Oct 23, 2024 17:23:51.342884064 CEST1.1.1.1192.168.2.50x6a62Name error (3)www.tmgl.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:24:11.346143961 CEST1.1.1.1192.168.2.50x1a22Name error (3)www.newordforpurpose.infononenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:24:31.939230919 CEST1.1.1.1192.168.2.50x3ceeName error (3)www.39474.clubnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:25:13.742898941 CEST1.1.1.1192.168.2.50x36cbName error (3)www.itygatehousing.appnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:25:34.970336914 CEST1.1.1.1192.168.2.50x7950Name error (3)www.erkakasrumah.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:25:55.887193918 CEST1.1.1.1192.168.2.50x9e20Name error (3)www.7732.clubnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:26:16.329062939 CEST1.1.1.1192.168.2.50xcd83Name error (3)www.ehills.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:26:37.094237089 CEST1.1.1.1192.168.2.50xfdbdName error (3)www.teamgame-mod.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:26:57.754870892 CEST1.1.1.1192.168.2.50xc90dName error (3)www.araghospitality.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:27:18.294787884 CEST1.1.1.1192.168.2.50x4498Name error (3)www.ntermoney24cad.homesnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 23, 2024 17:27:39.794622898 CEST1.1.1.1192.168.2.50x70aaName error (3)www.ransportationwlsltpro.topnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:11:23:13
                                                                                                                                                                          Start date:23/10/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\Bank swift.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\Bank swift.exe"
                                                                                                                                                                          Imagebase:0xd10000
                                                                                                                                                                          File size:717'312 bytes
                                                                                                                                                                          MD5 hash:A9A37483725640F15287EBAD5EDDFABF
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2049494552.0000000004905000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:3
                                                                                                                                                                          Start time:11:23:14
                                                                                                                                                                          Start date:23/10/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\Bank swift.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\Bank swift.exe"
                                                                                                                                                                          Imagebase:0xab0000
                                                                                                                                                                          File size:717'312 bytes
                                                                                                                                                                          MD5 hash:A9A37483725640F15287EBAD5EDDFABF
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:4
                                                                                                                                                                          Start time:11:23:14
                                                                                                                                                                          Start date:23/10/2024
                                                                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                          Imagebase:0x7ff674740000
                                                                                                                                                                          File size:5'141'208 bytes
                                                                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000004.00000002.4516511425.000000000F271000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Target ID:5
                                                                                                                                                                          Start time:11:23:17
                                                                                                                                                                          Start date:23/10/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\cscript.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\SysWOW64\cscript.exe"
                                                                                                                                                                          Imagebase:0x780000
                                                                                                                                                                          File size:144'896 bytes
                                                                                                                                                                          MD5 hash:CB601B41D4C8074BE8A84AED564A94DC
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4502153164.0000000003940000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4502103492.0000000003910000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Target ID:6
                                                                                                                                                                          Start time:11:23:21
                                                                                                                                                                          Start date:23/10/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:/c del "C:\Users\user\Desktop\Bank swift.exe"
                                                                                                                                                                          Imagebase:0x790000
                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Target ID:7
                                                                                                                                                                          Start time:11:23:21
                                                                                                                                                                          Start date:23/10/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Reset < >

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:12.2%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                            Signature Coverage:2.2%
                                                                                                                                                                            Total number of Nodes:273
                                                                                                                                                                            Total number of Limit Nodes:13
                                                                                                                                                                            execution_graph 43391 7a06340 43392 7a064cb 43391->43392 43393 7a06366 43391->43393 43393->43392 43395 7a03f78 43393->43395 43396 7a065c0 PostMessageW 43395->43396 43397 7a0662c 43396->43397 43397->43393 43243 56ae968 43244 56ae9a2 43243->43244 43245 56aea1e 43244->43245 43246 56aea33 43244->43246 43251 56ac308 43245->43251 43247 56ac308 3 API calls 43246->43247 43249 56aea42 43247->43249 43252 56ac313 43251->43252 43253 56aea29 43252->43253 43256 56af778 43252->43256 43264 56af788 43252->43264 43257 56af762 43256->43257 43258 56af786 43256->43258 43257->43253 43270 56aea88 43258->43270 43261 56af7af 43261->43253 43262 56af7d8 CreateIconFromResourceEx 43263 56af856 43262->43263 43263->43253 43265 56af7a2 43264->43265 43266 56aea88 CreateIconFromResourceEx 43264->43266 43267 56af7af 43265->43267 43268 56af7d8 CreateIconFromResourceEx 43265->43268 43266->43265 43267->43253 43269 56af856 43268->43269 43269->43253 43271 56af7d8 CreateIconFromResourceEx 43270->43271 43272 56af7a2 43271->43272 43272->43261 43272->43262 43288 56ad7f8 43289 56ad846 DrawTextExW 43288->43289 43291 56ad89e 43289->43291 43414 7a04ad3 43415 7a04af1 43414->43415 43420 7a05128 43415->43420 43436 7a0519e 43415->43436 43453 7a05138 43415->43453 43416 7a04b01 43421 7a0512c 43420->43421 43426 7a0515a 43421->43426 43469 7a05666 43421->43469 43474 7a05804 43421->43474 43479 7a05840 43421->43479 43484 7a05a9f 43421->43484 43489 7a0595d 43421->43489 43494 7a0567c 43421->43494 43499 7a05738 43421->43499 43503 7a056b8 43421->43503 43510 7a05d37 43421->43510 43515 7a058b3 43421->43515 43520 7a055e8 43421->43520 43524 7a057c8 43421->43524 43529 7a05c07 43421->43529 43426->43416 43437 7a0512c 43436->43437 43439 7a051a1 43436->43439 43438 7a0515a 43437->43438 43440 7a05840 2 API calls 43437->43440 43441 7a05804 2 API calls 43437->43441 43442 7a05666 2 API calls 43437->43442 43443 7a05c07 2 API calls 43437->43443 43444 7a057c8 2 API calls 43437->43444 43445 7a055e8 2 API calls 43437->43445 43446 7a058b3 2 API calls 43437->43446 43447 7a05d37 2 API calls 43437->43447 43448 7a056b8 4 API calls 43437->43448 43449 7a05738 2 API calls 43437->43449 43450 7a0567c 2 API calls 43437->43450 43451 7a0595d 2 API calls 43437->43451 43452 7a05a9f 2 API calls 43437->43452 43438->43416 43439->43416 43440->43438 43441->43438 43442->43438 43443->43438 43444->43438 43445->43438 43446->43438 43447->43438 43448->43438 43449->43438 43450->43438 43451->43438 43452->43438 43454 7a05152 43453->43454 43455 7a05840 2 API calls 43454->43455 43456 7a05804 2 API calls 43454->43456 43457 7a05666 2 API calls 43454->43457 43458 7a05c07 2 API calls 43454->43458 43459 7a0515a 43454->43459 43460 7a057c8 2 API calls 43454->43460 43461 7a055e8 2 API calls 43454->43461 43462 7a058b3 2 API calls 43454->43462 43463 7a05d37 2 API calls 43454->43463 43464 7a056b8 4 API calls 43454->43464 43465 7a05738 2 API calls 43454->43465 43466 7a0567c 2 API calls 43454->43466 43467 7a0595d 2 API calls 43454->43467 43468 7a05a9f 2 API calls 43454->43468 43455->43459 43456->43459 43457->43459 43458->43459 43459->43416 43460->43459 43461->43459 43462->43459 43463->43459 43464->43459 43465->43459 43466->43459 43467->43459 43468->43459 43470 7a05c85 43469->43470 43534 7a03c20 43470->43534 43538 7a03c28 43470->43538 43471 7a05ca6 43475 7a05821 43474->43475 43475->43426 43542 7a03660 43475->43542 43546 7a03668 43475->43546 43476 7a05d66 43476->43476 43480 7a0584d 43479->43480 43550 7a03ce0 43480->43550 43554 7a03ce8 43480->43554 43481 7a05ae1 43485 7a05aa5 43484->43485 43487 7a03ce0 WriteProcessMemory 43485->43487 43488 7a03ce8 WriteProcessMemory 43485->43488 43486 7a05ae1 43487->43486 43488->43486 43490 7a05961 43489->43490 43558 7a03710 43490->43558 43562 7a03718 43490->43562 43491 7a0597f 43495 7a05961 43494->43495 43497 7a03710 Wow64SetThreadContext 43495->43497 43498 7a03718 Wow64SetThreadContext 43495->43498 43496 7a0597f 43497->43496 43498->43496 43501 7a03ce0 WriteProcessMemory 43499->43501 43502 7a03ce8 WriteProcessMemory 43499->43502 43500 7a0564e 43500->43426 43501->43500 43502->43500 43506 7a03710 Wow64SetThreadContext 43503->43506 43507 7a03718 Wow64SetThreadContext 43503->43507 43504 7a056d5 43508 7a03660 ResumeThread 43504->43508 43509 7a03668 ResumeThread 43504->43509 43505 7a05d66 43506->43504 43507->43504 43508->43505 43509->43505 43511 7a05d3d 43510->43511 43513 7a03660 ResumeThread 43511->43513 43514 7a03668 ResumeThread 43511->43514 43512 7a05d66 43513->43512 43514->43512 43516 7a058b9 43515->43516 43518 7a03660 ResumeThread 43516->43518 43519 7a03668 ResumeThread 43516->43519 43517 7a05d66 43518->43517 43519->43517 43566 7a04370 43520->43566 43570 7a04365 43520->43570 43525 7a058e8 43524->43525 43527 7a03ce0 WriteProcessMemory 43525->43527 43528 7a03ce8 WriteProcessMemory 43525->43528 43526 7a05f05 43527->43526 43528->43526 43530 7a05c0d 43529->43530 43574 7a03dd0 43530->43574 43578 7a03dd8 43530->43578 43531 7a05c33 43535 7a03c68 VirtualAllocEx 43534->43535 43537 7a03ca5 43535->43537 43537->43471 43539 7a03c68 VirtualAllocEx 43538->43539 43541 7a03ca5 43539->43541 43541->43471 43543 7a036a8 ResumeThread 43542->43543 43545 7a036d9 43543->43545 43545->43476 43547 7a036a8 ResumeThread 43546->43547 43549 7a036d9 43547->43549 43549->43476 43551 7a03ce8 WriteProcessMemory 43550->43551 43553 7a03d87 43551->43553 43553->43481 43555 7a03d30 WriteProcessMemory 43554->43555 43557 7a03d87 43555->43557 43557->43481 43559 7a0375d Wow64SetThreadContext 43558->43559 43561 7a037a5 43559->43561 43561->43491 43563 7a0375d Wow64SetThreadContext 43562->43563 43565 7a037a5 43563->43565 43565->43491 43567 7a043f9 CreateProcessA 43566->43567 43569 7a045bb 43567->43569 43571 7a043f9 CreateProcessA 43570->43571 43573 7a045bb 43571->43573 43575 7a03dd6 ReadProcessMemory 43574->43575 43577 7a03e67 43575->43577 43577->43531 43579 7a03de6 ReadProcessMemory 43578->43579 43581 7a03e67 43579->43581 43581->43531 43273 175acf0 43274 175acf1 43273->43274 43278 175add9 43274->43278 43283 175ade8 43274->43283 43275 175acff 43279 175addc 43278->43279 43280 175ad80 43279->43280 43281 175b020 GetModuleHandleW 43279->43281 43280->43275 43282 175b04d 43281->43282 43282->43275 43285 175ade9 43283->43285 43284 175ae1c 43284->43275 43285->43284 43286 175b020 GetModuleHandleW 43285->43286 43287 175b04d 43286->43287 43287->43275 43313 9241101 43314 9241108 CloseHandle 43313->43314 43315 924116f 43314->43315 43582 175d080 43583 175d0c6 43582->43583 43587 175d668 43583->43587 43590 175d658 43583->43590 43584 175d1b3 43594 175d2bc 43587->43594 43591 175d664 43590->43591 43592 175d696 43591->43592 43593 175d2bc DuplicateHandle 43591->43593 43592->43584 43593->43592 43595 175d6d0 DuplicateHandle 43594->43595 43596 175d696 43595->43596 43596->43584 43372 924019d 43373 92401d5 43372->43373 43377 9240f90 43373->43377 43383 9240f80 43373->43383 43374 92401e1 43378 9240f9e 43377->43378 43382 9240fbd 43377->43382 43379 9240fac 43378->43379 43389 9240784 CloseHandle 43379->43389 43381 9240fb9 43381->43374 43382->43374 43384 9240f9b 43383->43384 43385 9240fac 43384->43385 43388 9240fbd 43384->43388 43390 9240784 CloseHandle 43385->43390 43387 9240fb9 43387->43374 43388->43374 43389->43381 43390->43387 43316 9244b08 43317 9244b14 43316->43317 43321 9247908 43317->43321 43326 9247918 43317->43326 43318 9244b25 43322 9247934 43321->43322 43331 9248840 43322->43331 43337 9248850 43322->43337 43323 92479de 43323->43318 43327 9247934 43326->43327 43329 9248840 NtQueryInformationProcess 43327->43329 43330 9248850 NtQueryInformationProcess 43327->43330 43328 92479de 43328->43318 43329->43328 43330->43328 43332 9248862 43331->43332 43343 9248880 43332->43343 43348 92488d9 43332->43348 43354 9248890 43332->43354 43333 9248876 43333->43323 43338 9248862 43337->43338 43340 9248880 NtQueryInformationProcess 43338->43340 43341 9248890 NtQueryInformationProcess 43338->43341 43342 92488d9 NtQueryInformationProcess 43338->43342 43339 9248876 43339->43323 43340->43339 43341->43339 43342->43339 43344 92488aa 43343->43344 43347 92488cd 43344->43347 43359 9248960 43344->43359 43363 9248952 43344->43363 43347->43333 43349 92488e2 43348->43349 43350 924888b 43348->43350 43349->43333 43351 92488cd 43350->43351 43352 9248960 NtQueryInformationProcess 43350->43352 43353 9248952 NtQueryInformationProcess 43350->43353 43351->43333 43352->43351 43353->43351 43355 92488aa 43354->43355 43356 9248960 NtQueryInformationProcess 43355->43356 43357 9248952 NtQueryInformationProcess 43355->43357 43358 92488cd 43355->43358 43356->43358 43357->43358 43358->43333 43360 9248984 43359->43360 43368 9243bd8 43360->43368 43364 92488ff 43363->43364 43365 9248956 43363->43365 43364->43347 43366 9243bd8 NtQueryInformationProcess 43365->43366 43367 9248a0b 43366->43367 43367->43347 43369 9248ac0 NtQueryInformationProcess 43368->43369 43371 9248a0b 43369->43371 43371->43347 43398 92492c8 43400 92492ec 43398->43400 43402 9243c28 43400->43402 43406 9243c34 43400->43406 43403 92497a8 OutputDebugStringW 43402->43403 43405 9249827 43403->43405 43405->43400 43407 9249858 CloseHandle 43406->43407 43409 92498c6 43407->43409 43409->43400 43292 1754668 43293 175467a 43292->43293 43294 1754686 43293->43294 43296 1754779 43293->43296 43297 175477c 43296->43297 43301 1754878 43297->43301 43305 1754888 43297->43305 43303 175487c 43301->43303 43302 175498c 43302->43302 43303->43302 43309 17544b4 43303->43309 43307 17548af 43305->43307 43306 175498c 43306->43306 43307->43306 43308 17544b4 CreateActCtxA 43307->43308 43308->43306 43310 1755918 CreateActCtxA 43309->43310 43312 17559db 43310->43312 43410 924944a 43412 9249384 43410->43412 43411 9243c28 OutputDebugStringW 43411->43412 43412->43411 43413 9243c34 CloseHandle 43412->43413 43413->43412

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 300 56ac308-56aee88 303 56af36b-56af3d4 300->303 304 56aee8e-56aee93 300->304 311 56af3db-56af463 303->311 304->303 305 56aee99-56aeeb6 304->305 305->311 312 56aeebc-56aeec0 305->312 358 56af46e-56af4ee 311->358 313 56aeecf-56aeed3 312->313 314 56aeec2-56aeecc call 56aea50 312->314 318 56aeee2-56aeee9 313->318 319 56aeed5-56aeedf call 56aea50 313->319 314->313 322 56aeeef-56aef1f call 56a276c 318->322 323 56af004-56af009 318->323 319->318 333 56af6ee-56af714 322->333 335 56aef25-56aeff8 call 56a41f0 call 56aea5c * 2 call 56a4a20 322->335 328 56af00b-56af00f 323->328 329 56af011-56af016 323->329 328->329 331 56af018-56af01c 328->331 332 56af028-56af058 call 56aea68 * 3 329->332 331->333 334 56af022-56af025 331->334 332->358 359 56af05e-56af061 332->359 346 56af716-56af722 333->346 347 56af724 333->347 334->332 335->323 367 56aeffa 335->367 350 56af727-56af72c 346->350 347->350 375 56af4f5-56af577 358->375 359->358 362 56af067-56af069 359->362 362->358 365 56af06f-56af0a4 362->365 374 56af0aa-56af0b3 365->374 365->375 367->323 376 56af0b9-56af113 call 56aea68 * 2 call 56aea78 * 2 374->376 377 56af216-56af21a 374->377 381 56af57f-56af601 375->381 423 56af125 376->423 424 56af115-56af11e 376->424 377->381 382 56af220-56af224 377->382 386 56af609-56af636 381->386 385 56af22a-56af230 382->385 382->386 387 56af232 385->387 388 56af234-56af269 385->388 399 56af63d-56af6bd 386->399 393 56af270-56af276 387->393 388->393 398 56af27c-56af284 393->398 393->399 405 56af28b-56af28d 398->405 406 56af286-56af28a 398->406 458 56af6c4-56af6e6 399->458 412 56af2ef-56af2f5 405->412 413 56af28f-56af2b3 405->413 406->405 417 56af2f7-56af312 412->417 418 56af314-56af342 412->418 440 56af2bc-56af2c0 413->440 441 56af2b5-56af2ba 413->441 438 56af34a-56af356 417->438 418->438 428 56af129-56af12b 423->428 424->428 429 56af120-56af123 424->429 436 56af12d 428->436 437 56af132-56af136 428->437 429->428 436->437 442 56af138-56af13f 437->442 443 56af144-56af14a 437->443 457 56af35c-56af368 438->457 438->458 440->333 449 56af2c6-56af2c9 440->449 448 56af2cc-56af2dd 441->448 444 56af1e1-56af1e5 442->444 445 56af14c-56af152 443->445 446 56af154-56af159 443->446 455 56af1e7-56af201 444->455 456 56af204-56af210 444->456 453 56af15f-56af165 445->453 446->453 492 56af2df call 56af778 448->492 493 56af2df call 56af788 448->493 449->448 461 56af16b-56af170 453->461 462 56af167-56af169 453->462 455->456 456->376 456->377 458->333 467 56af172-56af184 461->467 462->467 465 56af2e5-56af2ed 465->438 473 56af18e-56af193 467->473 474 56af186-56af18c 467->474 475 56af199-56af1a0 473->475 474->475 477 56af1a2-56af1a4 475->477 478 56af1a6 475->478 483 56af1ab-56af1b6 477->483 478->483 484 56af1da 483->484 485 56af1b8-56af1bb 483->485 484->444 485->444 487 56af1bd-56af1c3 485->487 488 56af1ca-56af1d3 487->488 489 56af1c5-56af1c8 487->489 488->444 491 56af1d5-56af1d8 488->491 489->484 489->488 491->444 491->484 492->465 493->465
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2051307871.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_56a0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Haq$Haq$Haq$Haq$Haq
                                                                                                                                                                            • API String ID: 0-1792267638
                                                                                                                                                                            • Opcode ID: ffedab425608b25a1fdc294f7ee2f006f58a42d502465e43b727c0ba9ae84069
                                                                                                                                                                            • Instruction ID: bc78ac71c3abe1af3836fc6c0d88e53e3fa2756c85cafc6b07b00efe7978a9fc
                                                                                                                                                                            • Opcode Fuzzy Hash: ffedab425608b25a1fdc294f7ee2f006f58a42d502465e43b727c0ba9ae84069
                                                                                                                                                                            • Instruction Fuzzy Hash: F0329D31B042188FDB54DFA8C8907AEBBF2BF84300F1485A9D409AB395DE349D86CF95
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 09248B3F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InformationProcessQuery
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1778838933-0
                                                                                                                                                                            • Opcode ID: 5791a40d8de6eb2e0ea215f759935c47b2cd79eab08769596b4c2c94b969797e
                                                                                                                                                                            • Instruction ID: d461ccd69e15095ffecde9386975e0d24f9a4b36400af420ef9224f7e104f4bb
                                                                                                                                                                            • Opcode Fuzzy Hash: 5791a40d8de6eb2e0ea215f759935c47b2cd79eab08769596b4c2c94b969797e
                                                                                                                                                                            • Instruction Fuzzy Hash: B421EFB59003599FCB10DF9AD885ADEFBF4FF48710F10842AE918A7210D779A544CFA5
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 09248B3F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InformationProcessQuery
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1778838933-0
                                                                                                                                                                            • Opcode ID: 21af5d2d04e95d5ec9aa7705d39089ab90c0804d7a2e777ef1f673df0771dc9d
                                                                                                                                                                            • Instruction ID: 53dad05fbe822bcb60e336f3f0899eca201f55e052ecded90807f0b9826258b9
                                                                                                                                                                            • Opcode Fuzzy Hash: 21af5d2d04e95d5ec9aa7705d39089ab90c0804d7a2e777ef1f673df0771dc9d
                                                                                                                                                                            • Instruction Fuzzy Hash: DF21B2B59113599FCB10DF9AD984ADEFBF4FF48310F108429E918A7210D375A944CFA5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d3927d3e463927b2b7fedbd842efa3039d2e622ad3099046a32a817e59975b63
                                                                                                                                                                            • Instruction ID: 91159cead6a8334dd68969ce59259b70f02dea51fb3ab6e9de6427731fd0a9f7
                                                                                                                                                                            • Opcode Fuzzy Hash: d3927d3e463927b2b7fedbd842efa3039d2e622ad3099046a32a817e59975b63
                                                                                                                                                                            • Instruction Fuzzy Hash: 48427174E11219CFDB64CFA9C984B9DBBB2FF49301F1492A9E809A7355D730AA81CF50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fcc99959d6aedc62eec2482c7e4be495b30a4e15f02913daeefab77040a8f0d6
                                                                                                                                                                            • Instruction ID: 4c7d4f6ce3ae1505543e120ff98eb937f341a6e4dfb6ed4372e227fbd804b576
                                                                                                                                                                            • Opcode Fuzzy Hash: fcc99959d6aedc62eec2482c7e4be495b30a4e15f02913daeefab77040a8f0d6
                                                                                                                                                                            • Instruction Fuzzy Hash: 6132C474A11219CFDB54DFA9C584A8EFBF2BF48311F55D195E448AB212CB30EA85CFA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2051307871.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_56a0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4b7f053a3a2d7aa2cd23bd887d25c117812549d0deee74175d977179b670c539
                                                                                                                                                                            • Instruction ID: cc50aeae672bf3edbff3e571e03eadff4b0a5d9850c5ff8efd71a6a5c2217f24
                                                                                                                                                                            • Opcode Fuzzy Hash: 4b7f053a3a2d7aa2cd23bd887d25c117812549d0deee74175d977179b670c539
                                                                                                                                                                            • Instruction Fuzzy Hash: F8C14A76E002148FDB24CFA9C880B9DFBB2BF89310F14C5AAD409AB255EB719D85CF51
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 24db7b3ecb901f52d86c1d7fa8391488cb6783aa6f4bdc36b8fdb716d56aa12e
                                                                                                                                                                            • Instruction ID: 92323f5473a2aad11afd3ea105895f57a5c5da2a17afc6dc7e6d02880a3ea3dd
                                                                                                                                                                            • Opcode Fuzzy Hash: 24db7b3ecb901f52d86c1d7fa8391488cb6783aa6f4bdc36b8fdb716d56aa12e
                                                                                                                                                                            • Instruction Fuzzy Hash: 4C61A375E11218CFDB18CF6AD984BDDBBB2BF88310F1491AAE809A7355DB319A41CF50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7cf021669c1a051f67a817beb7770f49593e01183144e6d656473286b9659a4b
                                                                                                                                                                            • Instruction ID: 3f1b27898b3f38a6d306b573d7447e76f498332dfca7bfee03105dac29cf36d6
                                                                                                                                                                            • Opcode Fuzzy Hash: 7cf021669c1a051f67a817beb7770f49593e01183144e6d656473286b9659a4b
                                                                                                                                                                            • Instruction Fuzzy Hash: E641C870E106198FEB58DFAAC85079EBBF3BF88300F14C1AAD45CA7265DB344A858F51

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 914 7a04365-7a04405 916 7a04407-7a04411 914->916 917 7a0443e-7a0445e 914->917 916->917 918 7a04413-7a04415 916->918 922 7a04460-7a0446a 917->922 923 7a04497-7a044c6 917->923 920 7a04417-7a04421 918->920 921 7a04438-7a0443b 918->921 924 7a04423 920->924 925 7a04425-7a04434 920->925 921->917 922->923 926 7a0446c-7a0446e 922->926 933 7a044c8-7a044d2 923->933 934 7a044ff-7a045b9 CreateProcessA 923->934 924->925 925->925 927 7a04436 925->927 928 7a04470-7a0447a 926->928 929 7a04491-7a04494 926->929 927->921 931 7a0447c 928->931 932 7a0447e-7a0448d 928->932 929->923 931->932 932->932 935 7a0448f 932->935 933->934 936 7a044d4-7a044d6 933->936 945 7a045c2-7a04648 934->945 946 7a045bb-7a045c1 934->946 935->929 938 7a044d8-7a044e2 936->938 939 7a044f9-7a044fc 936->939 940 7a044e4 938->940 941 7a044e6-7a044f5 938->941 939->934 940->941 941->941 942 7a044f7 941->942 942->939 956 7a04658-7a0465c 945->956 957 7a0464a-7a0464e 945->957 946->945 959 7a0466c-7a04670 956->959 960 7a0465e-7a04662 956->960 957->956 958 7a04650 957->958 958->956 961 7a04680-7a04684 959->961 962 7a04672-7a04676 959->962 960->959 963 7a04664 960->963 965 7a04696-7a0469d 961->965 966 7a04686-7a0468c 961->966 962->961 964 7a04678 962->964 963->959 964->961 967 7a046b4 965->967 968 7a0469f-7a046ae 965->968 966->965 970 7a046b5 967->970 968->967 970->970
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A045A6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 963392458-0
                                                                                                                                                                            • Opcode ID: 51ea9d667df32b8915f63063f277e4eb4ef82045cbd8db9f2017694937b297ed
                                                                                                                                                                            • Instruction ID: 32443f24a06bc68b51eb1fe96cfd0dc45be913d1df0ae44874d08912ddc9c67f
                                                                                                                                                                            • Opcode Fuzzy Hash: 51ea9d667df32b8915f63063f277e4eb4ef82045cbd8db9f2017694937b297ed
                                                                                                                                                                            • Instruction Fuzzy Hash: 23A1A0B1D0025ACFEF14CF68D840BEDBBB2BF49310F148569D818A7290DB759985CF92

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 971 7a04370-7a04405 973 7a04407-7a04411 971->973 974 7a0443e-7a0445e 971->974 973->974 975 7a04413-7a04415 973->975 979 7a04460-7a0446a 974->979 980 7a04497-7a044c6 974->980 977 7a04417-7a04421 975->977 978 7a04438-7a0443b 975->978 981 7a04423 977->981 982 7a04425-7a04434 977->982 978->974 979->980 983 7a0446c-7a0446e 979->983 990 7a044c8-7a044d2 980->990 991 7a044ff-7a045b9 CreateProcessA 980->991 981->982 982->982 984 7a04436 982->984 985 7a04470-7a0447a 983->985 986 7a04491-7a04494 983->986 984->978 988 7a0447c 985->988 989 7a0447e-7a0448d 985->989 986->980 988->989 989->989 992 7a0448f 989->992 990->991 993 7a044d4-7a044d6 990->993 1002 7a045c2-7a04648 991->1002 1003 7a045bb-7a045c1 991->1003 992->986 995 7a044d8-7a044e2 993->995 996 7a044f9-7a044fc 993->996 997 7a044e4 995->997 998 7a044e6-7a044f5 995->998 996->991 997->998 998->998 999 7a044f7 998->999 999->996 1013 7a04658-7a0465c 1002->1013 1014 7a0464a-7a0464e 1002->1014 1003->1002 1016 7a0466c-7a04670 1013->1016 1017 7a0465e-7a04662 1013->1017 1014->1013 1015 7a04650 1014->1015 1015->1013 1018 7a04680-7a04684 1016->1018 1019 7a04672-7a04676 1016->1019 1017->1016 1020 7a04664 1017->1020 1022 7a04696-7a0469d 1018->1022 1023 7a04686-7a0468c 1018->1023 1019->1018 1021 7a04678 1019->1021 1020->1016 1021->1018 1024 7a046b4 1022->1024 1025 7a0469f-7a046ae 1022->1025 1023->1022 1027 7a046b5 1024->1027 1025->1024 1027->1027
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A045A6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 963392458-0
                                                                                                                                                                            • Opcode ID: 82e2afbd3ab443ffd689bfb234f7aec153eac8c0c756c4ae461e7cb8d8b24f5c
                                                                                                                                                                            • Instruction ID: cc399c101b713badac5d42d67b6c336f3da829178f6193800818ed528dbe4bfd
                                                                                                                                                                            • Opcode Fuzzy Hash: 82e2afbd3ab443ffd689bfb234f7aec153eac8c0c756c4ae461e7cb8d8b24f5c
                                                                                                                                                                            • Instruction Fuzzy Hash: 8B91AFB1D0025ACFEF24CF68D840BEDBBB2BF49300F148569D918A7280DB759985CF92

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1028 175ade8-175adf7 1030 175ae23-175ae27 1028->1030 1031 175adf9-175ae06 call 175a10c 1028->1031 1032 175ae29-175ae33 1030->1032 1033 175ae3b-175ae7c 1030->1033 1038 175ae1c 1031->1038 1039 175ae08 1031->1039 1032->1033 1040 175ae7e-175ae86 1033->1040 1041 175ae89-175ae97 1033->1041 1038->1030 1090 175ae0e call 175b071 1039->1090 1091 175ae0e call 175b080 1039->1091 1040->1041 1042 175ae99-175ae9e 1041->1042 1043 175aebb-175aebd 1041->1043 1046 175aea0-175aea7 call 175a118 1042->1046 1047 175aea9 1042->1047 1045 175aec0-175aec7 1043->1045 1044 175ae14-175ae16 1044->1038 1048 175af58-175af6f 1044->1048 1049 175aed4-175aedb 1045->1049 1050 175aec9-175aed1 1045->1050 1052 175aeab-175aeb9 1046->1052 1047->1052 1062 175af71-175afd0 1048->1062 1053 175aedd-175aee5 1049->1053 1054 175aee8-175aef1 call 175a128 1049->1054 1050->1049 1052->1045 1053->1054 1060 175aef3-175aefb 1054->1060 1061 175aefe-175af03 1054->1061 1060->1061 1063 175af05-175af0c 1061->1063 1064 175af21-175af2e 1061->1064 1080 175afd2 1062->1080 1063->1064 1065 175af0e-175af1e call 175a138 call 175a148 1063->1065 1069 175af51-175af57 1064->1069 1070 175af30-175af4e 1064->1070 1065->1064 1070->1069 1081 175afd5-175affe 1080->1081 1082 175afd4 1080->1082 1083 175b000-175b018 1081->1083 1082->1081 1082->1083 1085 175b020-175b04b GetModuleHandleW 1083->1085 1086 175b01a-175b01d 1083->1086 1087 175b054-175b068 1085->1087 1088 175b04d-175b053 1085->1088 1086->1085 1088->1087 1090->1044 1091->1044
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0175B03E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2048216569.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1750000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                            • Opcode ID: 70792fdb93104a812a9282e5b39fa415066aa60d1f8b06d1e9cbe4143178feb3
                                                                                                                                                                            • Instruction ID: 1a6d2fe7fdc4d7f4e25b2b5c4e9e202d3f80870b0d8b82fa5de0a41f6a224fef
                                                                                                                                                                            • Opcode Fuzzy Hash: 70792fdb93104a812a9282e5b39fa415066aa60d1f8b06d1e9cbe4143178feb3
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A814670A00B058FD764DF29D44579AFBF5FF88200F008A2ED88A97A50DB75E949CB90
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 017559C9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2048216569.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1750000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: 545ac51e2b1e72314b613aa427e3394e06091b5a348680cfea6c58394d0bc57b
                                                                                                                                                                            • Instruction ID: 636ba980f2dfc3f9c9b8713d192ee30791e83c25fb7e260538baa1e57b8172bf
                                                                                                                                                                            • Opcode Fuzzy Hash: 545ac51e2b1e72314b613aa427e3394e06091b5a348680cfea6c58394d0bc57b
                                                                                                                                                                            • Instruction Fuzzy Hash: EC41E3B1C0071DCEDB65DFA9C884B9DFBB1BF49304F20806AD418AB255DBB55A46CF90
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 017559C9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2048216569.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1750000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: 299949d65972d12a4ae0dccfc9e809fcc2177545d0bec52a15a535fcff18870e
                                                                                                                                                                            • Instruction ID: 8688c36013330f80a4d20b41eee18272ef7e046bf58b69a28a59b043ca9b5f7c
                                                                                                                                                                            • Opcode Fuzzy Hash: 299949d65972d12a4ae0dccfc9e809fcc2177545d0bec52a15a535fcff18870e
                                                                                                                                                                            • Instruction Fuzzy Hash: 1241BFB1C0071DCADB24DFA9C884B9EFBB5BF49704F20806AD408AB255DBB56946CF91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2051307871.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_56a0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFromIconResource
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3668623891-0
                                                                                                                                                                            • Opcode ID: 55896d87d730b87929145ccc47d8f4a492c5986023289385eed0f4fdde611735
                                                                                                                                                                            • Instruction ID: 25dfab49efd0f10852bca7898a2b8bca9ac90f6efe46c54039f0203769e43307
                                                                                                                                                                            • Opcode Fuzzy Hash: 55896d87d730b87929145ccc47d8f4a492c5986023289385eed0f4fdde611735
                                                                                                                                                                            • Instruction Fuzzy Hash: 1D317A769043889FCB12DFA9D804AEEBFF8EF09310F14845AE954A7221C7399954DFA1
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A03D78
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3559483778-0
                                                                                                                                                                            • Opcode ID: 980797f7e8de69545b669d836f9d2eafedc56170920801999022db5129359b88
                                                                                                                                                                            • Instruction ID: 2aaa1aa0e766f821992caec09fd8711a0850d8fc44276dcf83c38cb326dcf2f8
                                                                                                                                                                            • Opcode Fuzzy Hash: 980797f7e8de69545b669d836f9d2eafedc56170920801999022db5129359b88
                                                                                                                                                                            • Instruction Fuzzy Hash: B2214BB59003499FCB10DFA9D881BEEBFF5FF49320F108829E919A7240C7789545CBA1
                                                                                                                                                                            APIs
                                                                                                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?), ref: 056AD88F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2051307871.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_56a0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DrawText
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2175133113-0
                                                                                                                                                                            • Opcode ID: e86f25019b8c772a089f32a1841990990546e1189710c11e3a8d4515e4c74dd8
                                                                                                                                                                            • Instruction ID: 5d335c7fa6bc4db732ba9f998eab140f8a8f4e7b4c2d8627ec29a84bd9e2025a
                                                                                                                                                                            • Opcode Fuzzy Hash: e86f25019b8c772a089f32a1841990990546e1189710c11e3a8d4515e4c74dd8
                                                                                                                                                                            • Instruction Fuzzy Hash: 3131E2B6D002099FDB10DF9AD884ADEBBF5FF48320F14842AE819A7710D774A944CFA0
                                                                                                                                                                            APIs
                                                                                                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?), ref: 056AD88F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2051307871.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_56a0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DrawText
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2175133113-0
                                                                                                                                                                            • Opcode ID: df4108b08f636b3b78eac932f41f5aa71d08a2b688b26f4f4caa41914b8c8f7a
                                                                                                                                                                            • Instruction ID: 857cc52be719994eb8af60d5118311629d2702a888445a9fd5053961b4d01a6e
                                                                                                                                                                            • Opcode Fuzzy Hash: df4108b08f636b3b78eac932f41f5aa71d08a2b688b26f4f4caa41914b8c8f7a
                                                                                                                                                                            • Instruction Fuzzy Hash: 6C21A0B5D002499FDB10DF9AD884A9EFBF5FF48320F14842AE919A7710D775A944CFA0
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A03D78
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3559483778-0
                                                                                                                                                                            • Opcode ID: b5648248d56d6dad1ff8235a46be0fcc32032b9412daa96dd9329a266e1e92ab
                                                                                                                                                                            • Instruction ID: 3e7e74e7baf4620ed5511ca8a564818672b14d300d3fd8d6627909277fcca2e5
                                                                                                                                                                            • Opcode Fuzzy Hash: b5648248d56d6dad1ff8235a46be0fcc32032b9412daa96dd9329a266e1e92ab
                                                                                                                                                                            • Instruction Fuzzy Hash: 592127B59003499FCF10DFAAC985BEEBBF5FF48310F108829E919A7240D7789944CBA1
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A03E58
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1726664587-0
                                                                                                                                                                            • Opcode ID: 316e4074d77be38fe5fcba02448dfd4215fd26577af83fe8e15f5ebabf9a5dba
                                                                                                                                                                            • Instruction ID: b00534ee30eb63eb8e7c7b3507fba6322a8c9a571bb009798366896c6d764b5d
                                                                                                                                                                            • Opcode Fuzzy Hash: 316e4074d77be38fe5fcba02448dfd4215fd26577af83fe8e15f5ebabf9a5dba
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E2119B5D00259DFDB10DFAAD940AEEBBF5FF48310F10882AE519A7250C7789545CBA0
                                                                                                                                                                            APIs
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A03796
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ContextThreadWow64
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 983334009-0
                                                                                                                                                                            • Opcode ID: 2b3b3fd7c90b494c0a13cca860946deccc49317c30d72f38c3778178812432fd
                                                                                                                                                                            • Instruction ID: fe18f03fcfabdc0f1dc2de58df7c299551f0b909de92e1250f66c5c4b862a4e2
                                                                                                                                                                            • Opcode Fuzzy Hash: 2b3b3fd7c90b494c0a13cca860946deccc49317c30d72f38c3778178812432fd
                                                                                                                                                                            • Instruction Fuzzy Hash: 14216AB5D002099FDB10DFA9C485BEEBBF4FF89310F10842AD419A7240CB789545CFA1
                                                                                                                                                                            APIs
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0175D696,?,?,?,?,?), ref: 0175D757
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2048216569.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1750000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                            • Opcode ID: 17fd999ea00aa4d7ff39f6e853659ad2d5b219f37b1dc89cd8ced74f5895e6af
                                                                                                                                                                            • Instruction ID: d9d70a8ecb4bbbcf412ffc992a65de6386cc75a7018db575cda0d627e059950c
                                                                                                                                                                            • Opcode Fuzzy Hash: 17fd999ea00aa4d7ff39f6e853659ad2d5b219f37b1dc89cd8ced74f5895e6af
                                                                                                                                                                            • Instruction Fuzzy Hash: 7521E5B5900248AFDB50DFAAD584AEEFBF4FB48310F14841AE918A3310D378A954CFA5
                                                                                                                                                                            APIs
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A03796
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ContextThreadWow64
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 983334009-0
                                                                                                                                                                            • Opcode ID: 63887f64c971cbc0993d26b43d43eaa4d825d9989ec74aba8f9e32e1487e9fe3
                                                                                                                                                                            • Instruction ID: efe887518a9784f5dd2d9708c3a2454f4c5efcb9adf1d4cf264990ca8d1a4cb7
                                                                                                                                                                            • Opcode Fuzzy Hash: 63887f64c971cbc0993d26b43d43eaa4d825d9989ec74aba8f9e32e1487e9fe3
                                                                                                                                                                            • Instruction Fuzzy Hash: 3B2118B5D003099FDB10DFAAC485BEEBBF4EF89314F14882AD519A7240CB789945CFA5
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A03E58
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1726664587-0
                                                                                                                                                                            • Opcode ID: 3283a277525dab56a96b701eedf9a67093f9d17c73a0e6b281b7963f4c0a12ae
                                                                                                                                                                            • Instruction ID: b7aadad37d16d5fda9b4223248623c489c7b0b75e81a13ab3e2d6defa84aeb7f
                                                                                                                                                                            • Opcode Fuzzy Hash: 3283a277525dab56a96b701eedf9a67093f9d17c73a0e6b281b7963f4c0a12ae
                                                                                                                                                                            • Instruction Fuzzy Hash: 2A2125B1C003499FCB10DFAAC980AEEFBF5FF48310F10882AE519A7240C7789944CBA1
                                                                                                                                                                            APIs
                                                                                                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0175D696,?,?,?,?,?), ref: 0175D757
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2048216569.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1750000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DuplicateHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3793708945-0
                                                                                                                                                                            • Opcode ID: 17f150da601fb8f419a16633c7b473f9e81af60ab53c67c5364d43ccdcd58fd2
                                                                                                                                                                            • Instruction ID: cd0caf82b1cf81aa2802340ffeae3afbb72ee2e3a5fc921892f4dbdc4b628dbb
                                                                                                                                                                            • Opcode Fuzzy Hash: 17f150da601fb8f419a16633c7b473f9e81af60ab53c67c5364d43ccdcd58fd2
                                                                                                                                                                            • Instruction Fuzzy Hash: AC21B2B59002489FDB10CFA9D984AEEBBF5EF48310F14845AE958A7250D378AA44CFA5
                                                                                                                                                                            APIs
                                                                                                                                                                            • OutputDebugStringW.KERNELBASE(00000000), ref: 09249818
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DebugOutputString
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1166629820-0
                                                                                                                                                                            • Opcode ID: 65ca9c5b3ed6b01fcaf6093276b56922b1d29dc672435b3c4ab911ea68c2bf7f
                                                                                                                                                                            • Instruction ID: f2f3240f6b491d55f00e0f8fdc71430ab7a3098299d935d6bd03e1aff25ebdb3
                                                                                                                                                                            • Opcode Fuzzy Hash: 65ca9c5b3ed6b01fcaf6093276b56922b1d29dc672435b3c4ab911ea68c2bf7f
                                                                                                                                                                            • Instruction Fuzzy Hash: 791114B9C006599BCB14DF9AD544BDEFBB4FF49720F10811AD419A7240C7786944CFE5
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,056AF7A2,?,?,?,?,?), ref: 056AF847
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2051307871.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_56a0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFromIconResource
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3668623891-0
                                                                                                                                                                            • Opcode ID: beb14c155d56fa0a8072c0c32990840f353373c59484e9d3bbd330c493e383be
                                                                                                                                                                            • Instruction ID: 950a81a82e7abc2be32c329e619c8bf62676f947e7bbdce071b93e5a48d35ecd
                                                                                                                                                                            • Opcode Fuzzy Hash: beb14c155d56fa0a8072c0c32990840f353373c59484e9d3bbd330c493e383be
                                                                                                                                                                            • Instruction Fuzzy Hash: EE1129B68042499FDB10DFAAD844BEEBFF8EF48310F14841AE515A7210C379A954CFA5
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A03C96
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: 51e3065d99f375c20cedac7d978eadea2f319da866dd11c7fa2983237e29d80b
                                                                                                                                                                            • Instruction ID: 78afcb2bf1621ce5a08596479a69cbc2d3baceab279d5573971157b5c92cbea0
                                                                                                                                                                            • Opcode Fuzzy Hash: 51e3065d99f375c20cedac7d978eadea2f319da866dd11c7fa2983237e29d80b
                                                                                                                                                                            • Instruction Fuzzy Hash: AF1189B68002499FCB10DFA9D844ADEBFF5FF48314F24881AE519A7250C7799544CFA0
                                                                                                                                                                            APIs
                                                                                                                                                                            • OutputDebugStringW.KERNELBASE(00000000), ref: 09249818
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DebugOutputString
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1166629820-0
                                                                                                                                                                            • Opcode ID: fb3fbed936913e468633be50654ef759fae718c337596e8b5ba44f4b1000411e
                                                                                                                                                                            • Instruction ID: 8c717faab1c28c4d5bb1fcb264afad4c1bf59710c35e806241ff508da034c78c
                                                                                                                                                                            • Opcode Fuzzy Hash: fb3fbed936913e468633be50654ef759fae718c337596e8b5ba44f4b1000411e
                                                                                                                                                                            • Instruction Fuzzy Hash: AE1133B5C006499BCB04DF9AD544A9EFBF4FF48710F10812AE818A3240C378A940CFE1
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A03C96
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: be28a34d031976b342fa2b5e056c5c78f9c3cad6057c08e087f1b1fbc63a4904
                                                                                                                                                                            • Instruction ID: 3e861946405dfaf3040c904863c45b18bfa3541a1b2c8b3e9bf8dc835d1289fc
                                                                                                                                                                            • Opcode Fuzzy Hash: be28a34d031976b342fa2b5e056c5c78f9c3cad6057c08e087f1b1fbc63a4904
                                                                                                                                                                            • Instruction Fuzzy Hash: 231126B58002499FCB10DFAAD844AEEBFF5EF88310F108819E519A7250C779A544CFA1
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ResumeThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 947044025-0
                                                                                                                                                                            • Opcode ID: 9728729fe78b28f735ba7faab23d139cb30fa372695675746cee6d0fc95b75c2
                                                                                                                                                                            • Instruction ID: 44b7947b618d518d90813ef37814738f57de144aa49ec8341ad78002ae76ad22
                                                                                                                                                                            • Opcode Fuzzy Hash: 9728729fe78b28f735ba7faab23d139cb30fa372695675746cee6d0fc95b75c2
                                                                                                                                                                            • Instruction Fuzzy Hash: 681146B58002498FDB10DFAAD4447EFBBF5EF88320F248819D019A7240CB79A545CBA5
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ResumeThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 947044025-0
                                                                                                                                                                            • Opcode ID: d63baa1f0e487a10ae231f6644ec258a5e78ec7b7e3bd64fb1fb56016cc93c2a
                                                                                                                                                                            • Instruction ID: d5287edb0aa69aa93b4e3742fd32251514a7b847b590c247e64a8b12684f17b3
                                                                                                                                                                            • Opcode Fuzzy Hash: d63baa1f0e487a10ae231f6644ec258a5e78ec7b7e3bd64fb1fb56016cc93c2a
                                                                                                                                                                            • Instruction Fuzzy Hash: 431158B5C002098BCB10DFAAC4457AFFBF4EF88310F208819D419A7240CB79A544CBA5
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A0661D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePost
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                                                            • Opcode ID: 4f7c15c0d9c0fe696df122e5ecdca882674410609027d3be374bc711dfbaf339
                                                                                                                                                                            • Instruction ID: af527d252d8b01a052aedd29fff827bf28b84099b22d2fb08a199a9c579140dc
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f7c15c0d9c0fe696df122e5ecdca882674410609027d3be374bc711dfbaf339
                                                                                                                                                                            • Instruction Fuzzy Hash: 1F11F2B58003499FDB10DF9AD884BEEBBF8FB48724F108819E519A7240C379A954CFE5
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A0661D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePost
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                                                            • Opcode ID: 36d1952342fa04d46cfaf1acaf86422eefa662811cfc0e763d323ee4441aca84
                                                                                                                                                                            • Instruction ID: a6a447fae77288bfbf2d6a507ff8d2c914964a713e3dc8da664a3a3712ed8a44
                                                                                                                                                                            • Opcode Fuzzy Hash: 36d1952342fa04d46cfaf1acaf86422eefa662811cfc0e763d323ee4441aca84
                                                                                                                                                                            • Instruction Fuzzy Hash: EF1122B58002499FDB10DF99D884BDEBBF4FB48324F20880AE528A7240C379A594CFA1
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0175B03E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2048216569.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1750000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleModule
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4139908857-0
                                                                                                                                                                            • Opcode ID: b6541756e438ea831d76976d40e4a71eef058f72f17c48ef7da94b358b4972f3
                                                                                                                                                                            • Instruction ID: 023c74f4cebf441e575ca13a38576e816fd09c6e1fc50890cf39ea554a1fa2ce
                                                                                                                                                                            • Opcode Fuzzy Hash: b6541756e438ea831d76976d40e4a71eef058f72f17c48ef7da94b358b4972f3
                                                                                                                                                                            • Instruction Fuzzy Hash: CD110FB5C003498FDB10DF9AD444BEEFBF5AF88310F10842AD929A7200D3B9A545CFA1
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 092498B7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                            • Opcode ID: aab851658a24b4229f687f4c9db560039403237c10a9b911e871c4a5790e0cb9
                                                                                                                                                                            • Instruction ID: fa759206713699bb6173a784691e0e1f07282ba5d0f49d6c7461d38f7ab12a04
                                                                                                                                                                            • Opcode Fuzzy Hash: aab851658a24b4229f687f4c9db560039403237c10a9b911e871c4a5790e0cb9
                                                                                                                                                                            • Instruction Fuzzy Hash: 841155B58003498FDB10DF9AC844BEEFBF8EF48724F10846AE518A7241C378A584CFA5
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,09240FB9,?,?), ref: 09241160
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                            • Opcode ID: d7bd2f8174e6266207b6810390653d55ec7ff2844e5d25028edab38e6890e8e8
                                                                                                                                                                            • Instruction ID: 8cd6e94ca95cb75f79ab274808f168a08468117562b8df17110c3a4287309597
                                                                                                                                                                            • Opcode Fuzzy Hash: d7bd2f8174e6266207b6810390653d55ec7ff2844e5d25028edab38e6890e8e8
                                                                                                                                                                            • Instruction Fuzzy Hash: BC1125B58002498FDB20DFAAD945BEEBBF4EF48320F10841AD558A7341C738A584CFA5
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 092498B7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                            • Opcode ID: c5446e2230f0f3067d670983a655f4cb55d7a30a126a9495115801494c7e4d57
                                                                                                                                                                            • Instruction ID: 7b5514a16b4d31cfdfd34e9f98b6bfd333e07490df25b5cb9e6022b21b00bc19
                                                                                                                                                                            • Opcode Fuzzy Hash: c5446e2230f0f3067d670983a655f4cb55d7a30a126a9495115801494c7e4d57
                                                                                                                                                                            • Instruction Fuzzy Hash: 741125B58002498FDB10DF9AC544BEEBBF8EF48720F10846AE518A3241D378A984CFE5
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,09240FB9,?,?), ref: 09241160
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                            • Opcode ID: 1e4bb7c2ce572c8820fb83e3caf5db8db0f9699f05b8b772dc3b2974217fe943
                                                                                                                                                                            • Instruction ID: ebb777852d10454878aacd6e8f4ec136ee0e0e8fe61cc8bb7bcaef19a71b14be
                                                                                                                                                                            • Opcode Fuzzy Hash: 1e4bb7c2ce572c8820fb83e3caf5db8db0f9699f05b8b772dc3b2974217fe943
                                                                                                                                                                            • Instruction Fuzzy Hash: 0D1113B58046498FDB20DF9AC544BAEBBF4EF58320F10841AE958A7241D778A984CFA5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2047880041.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_16cd000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 59fae2bcd499bba05b62f7315c9825cc52ff476994d2c4ae065e73fda68891cb
                                                                                                                                                                            • Instruction ID: 4ddfd5d351d26c735ea07dbdcbc4118c33feb844cc2e17bb747f5c68b323b9b4
                                                                                                                                                                            • Opcode Fuzzy Hash: 59fae2bcd499bba05b62f7315c9825cc52ff476994d2c4ae065e73fda68891cb
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A210071604200DFCB15DF68D980B26BFA5FB88714F20C57DD90A4B396C33AD407CAA2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2047880041.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_16cd000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c669d9862f9181826f682a1a3dd8ab2a6dc64c0b57b790b562182a388fd3e7f6
                                                                                                                                                                            • Instruction ID: caea889cce186bcc81a9928fa03f0d4bd3ff451ee05eb63a56465b050df8da44
                                                                                                                                                                            • Opcode Fuzzy Hash: c669d9862f9181826f682a1a3dd8ab2a6dc64c0b57b790b562182a388fd3e7f6
                                                                                                                                                                            • Instruction Fuzzy Hash: CC21D071504204AFDB05DFA8D984B26BBA6FB88724F20C57DEA494B356C33AD406CAA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2047880041.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_16cd000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                                                                                                            • Instruction ID: 0c0519df34d858f16c769afcc3639b4c142d57cd1203ef32ec305114c7d5f33c
                                                                                                                                                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                                                                                                            • Instruction Fuzzy Hash: 5311BE75504240DFDB02CF54C9C4B25BF62FB84624F24C6AED9494B356C33AD40ACBA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2047880041.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_16cd000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                                                                                                            • Instruction ID: aa851354d4bfa89ab49264aac13a572984d30424768b009a611bcdf5be0f2cdf
                                                                                                                                                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                                                                                                            • Instruction Fuzzy Hash: 5711BE75604280DFDB12CF58D9C4B25BF61FB84714F24C6ADD8494B756C33AD40ACBA2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2047834539.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_16bd000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4f10b89196395ecc29939050e0e52ed26f953d5201a5984a02dde41d49e3bce2
                                                                                                                                                                            • Instruction ID: d7952476b7f7692d4008f3f713a079334dbdc832d79e34de72ab10ec53e74376
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f10b89196395ecc29939050e0e52ed26f953d5201a5984a02dde41d49e3bce2
                                                                                                                                                                            • Instruction Fuzzy Hash: 1F0184710043849AE7209AA9CDC4BF6BF98EF45728F18C53AED090E286D3799881CB75
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2047834539.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_16bd000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 284010f6b010b274a0c8ff8b16c2219f5b74ecf1e608b2be78125a2f858c23ff
                                                                                                                                                                            • Instruction ID: 9f4064631314c5f82c026b91ceaf0272f15ef0a04a7e596dfbf6b1d22f28093c
                                                                                                                                                                            • Opcode Fuzzy Hash: 284010f6b010b274a0c8ff8b16c2219f5b74ecf1e608b2be78125a2f858c23ff
                                                                                                                                                                            • Instruction Fuzzy Hash: 0FF062714043849AE7119E1ACDC8BA6FF98EF85734F18C46AED484E386C3799844CBB5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 22defd0996be302ecbd799932fc2061eca04185f764edb5074bf4603bfaccaf6
                                                                                                                                                                            • Instruction ID: 8b4290b370bc241373b0272339e55dcf8ff1e10de52cffaf397231aa845218e7
                                                                                                                                                                            • Opcode Fuzzy Hash: 22defd0996be302ecbd799932fc2061eca04185f764edb5074bf4603bfaccaf6
                                                                                                                                                                            • Instruction Fuzzy Hash: 14E1D7B4E002198FCB14DFA9D5809AEBBB2FF89305F24C669D414AB356D734AD41CFA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9254d3c979b32d72ba82939af39315927348ba8a89d8c184173a459fade9681a
                                                                                                                                                                            • Instruction ID: 09a9b143c94fa948e67b62e669ee113b8beae5be4f0a921f36fd739c002437af
                                                                                                                                                                            • Opcode Fuzzy Hash: 9254d3c979b32d72ba82939af39315927348ba8a89d8c184173a459fade9681a
                                                                                                                                                                            • Instruction Fuzzy Hash: 61E1F974E102198FCB14DFA8C5809AEFBB2FF49305F248169E918AB356D734AD41CF61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 09cbd22c4b3edb9dd25f67672f4382c72fe497fef9600dd403eff0a685b5e657
                                                                                                                                                                            • Instruction ID: d368981dcb78679255af8cfb1472967d8f769083d79076e7eef36d6ca674a34c
                                                                                                                                                                            • Opcode Fuzzy Hash: 09cbd22c4b3edb9dd25f67672f4382c72fe497fef9600dd403eff0a685b5e657
                                                                                                                                                                            • Instruction Fuzzy Hash: 74E108B4E002198FCB14DFA9D5809AEFBB2FF89305F24856AD414AB356D734AD41CFA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bdf84d484d4cf8c5dfee85dcd48a1010c2df6ef24cb1be3ee818fbfc94625472
                                                                                                                                                                            • Instruction ID: 6f50245806412566b4d06194fe34797edf35e58f8e85d9ae5e2431a7d480180e
                                                                                                                                                                            • Opcode Fuzzy Hash: bdf84d484d4cf8c5dfee85dcd48a1010c2df6ef24cb1be3ee818fbfc94625472
                                                                                                                                                                            • Instruction Fuzzy Hash: 04E10674E202198FCB14DFA8C5809AEBBB2FF89305F24C169E518AB356D735AD41CF61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c015325f7106be2a98ca5a2918a27ce42551d4c64e8b16974c1cc085fde7996a
                                                                                                                                                                            • Instruction ID: 097581fe8af6fbe0e214f596ac804cdf8576bf79e36933898195edb8adb2b43f
                                                                                                                                                                            • Opcode Fuzzy Hash: c015325f7106be2a98ca5a2918a27ce42551d4c64e8b16974c1cc085fde7996a
                                                                                                                                                                            • Instruction Fuzzy Hash: 26E10874E102198FCB14DFA8C9809AEBBB6FF89305F248169E414AB356D734AD41CFA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d8efea16175e5b993c72a8a8928838272138b7379abf1ed1ca23f51554569634
                                                                                                                                                                            • Instruction ID: 1d8ce2ed0921ac9a85b9a0d0b3c049b71545b3e8034cb4f85650f22fc4f18c35
                                                                                                                                                                            • Opcode Fuzzy Hash: d8efea16175e5b993c72a8a8928838272138b7379abf1ed1ca23f51554569634
                                                                                                                                                                            • Instruction Fuzzy Hash: F6E1E674E202198FCB14DFA9C9809AEFBB2FF89305F248169D518AB356D734AD41CF61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 16370cda305e2a3d55cc7e609304047edc8a9b073a9e70cd1ddf93e9409bb4b3
                                                                                                                                                                            • Instruction ID: dd072d5aa5d6d4ddd4367e04f75718778129788dc2b632d59d45f49152035f3b
                                                                                                                                                                            • Opcode Fuzzy Hash: 16370cda305e2a3d55cc7e609304047edc8a9b073a9e70cd1ddf93e9409bb4b3
                                                                                                                                                                            • Instruction Fuzzy Hash: 85E115B4E002198FCB14DFA9D5809AEFBB2FF89305F24C569D814AB356D734A941CFA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f4d866531bb14e296dff81dd14c5bc489e82bdb953635de39afcabf6db7bf07b
                                                                                                                                                                            • Instruction ID: 289e3e7e282cbccc7cd869f43f50d4d553cc6cccc34ccbe06340d5401994dc7b
                                                                                                                                                                            • Opcode Fuzzy Hash: f4d866531bb14e296dff81dd14c5bc489e82bdb953635de39afcabf6db7bf07b
                                                                                                                                                                            • Instruction Fuzzy Hash: 5FE1F6B4E002198FCB14DFA9D5809AEFBB2FF89305F248669D414AB356D734AD41CFA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063549419.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_7a00000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8a9a25a74b31d76c635dd74af1100603c30282e8fd760562da15d3e0e01be9e6
                                                                                                                                                                            • Instruction ID: 2c2cfb5ed6c9c5b1e6949f435e2bdb21ef411985a9c6bbc1a32476c8cb3283c1
                                                                                                                                                                            • Opcode Fuzzy Hash: 8a9a25a74b31d76c635dd74af1100603c30282e8fd760562da15d3e0e01be9e6
                                                                                                                                                                            • Instruction Fuzzy Hash: 69E125B4E002198FCB14DFA9D9809AEBBB2FF89305F248569D414AB356D734AD41CFA1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2051307871.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_56a0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a0362d983c1c88f0b4ffadf3a65c169ea613e3a295dde79227deb46fde2c38fb
                                                                                                                                                                            • Instruction ID: 7911a6bb66ac7709301cceb4b6f676948c292056369d5fce5a48c9f86dbcf2e2
                                                                                                                                                                            • Opcode Fuzzy Hash: a0362d983c1c88f0b4ffadf3a65c169ea613e3a295dde79227deb46fde2c38fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 9BE12731D2075A9ACB11EF64D990A9DB771FF95300F50CBAAD00977220EB74AAC9CF91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2051307871.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_56a0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 20e048a0216ac845fce083aac1b4adbf0a61423aa1830a0282f3efef3946b253
                                                                                                                                                                            • Instruction ID: b31d96373aef5a6332973c75137b2b34817cb8519ad9ccf60dfca5e41b896359
                                                                                                                                                                            • Opcode Fuzzy Hash: 20e048a0216ac845fce083aac1b4adbf0a61423aa1830a0282f3efef3946b253
                                                                                                                                                                            • Instruction Fuzzy Hash: 1AD10631D2075A9ACB05EF64D990A9DB771FF95300F50CBAAD00977220EB74AAC9CF91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2048216569.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1750000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c5c642e914c3504d4d423669c27e0cc59bb74d44c3aef184241cc741e0622753
                                                                                                                                                                            • Instruction ID: 88310403130bc30dc995f563eda3fa9aca2840fc2e4e96309cc6c4105d455c55
                                                                                                                                                                            • Opcode Fuzzy Hash: c5c642e914c3504d4d423669c27e0cc59bb74d44c3aef184241cc741e0622753
                                                                                                                                                                            • Instruction Fuzzy Hash: 44A18136E002168FCF15DFB8C84499EFBB2FF85300B15856AE905AB265DBB1E946CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2051307871.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_56a0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3ac4deb1fa9bee7ee439b9b1f840a081f13fabed85666a8dd23a941887423e94
                                                                                                                                                                            • Instruction ID: d44272ba9d0f856bcb383accdcfc6528a93ad511c007e2465ec784aee85ac630
                                                                                                                                                                            • Opcode Fuzzy Hash: 3ac4deb1fa9bee7ee439b9b1f840a081f13fabed85666a8dd23a941887423e94
                                                                                                                                                                            • Instruction Fuzzy Hash: 70D1F631D2075A9ACB05EF64D990A9DB771FF95300F50CBAAD00977220EB74AAC9CF51
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fc1c8d0288063b12a65f3d7bc551d047ebffd3d7ec796ffd44327ea450e0d5b7
                                                                                                                                                                            • Instruction ID: fbb0830e6df01b01a651adfeabab3d4736ecd48b396e222ebf0c20b66fa4ac2c
                                                                                                                                                                            • Opcode Fuzzy Hash: fc1c8d0288063b12a65f3d7bc551d047ebffd3d7ec796ffd44327ea450e0d5b7
                                                                                                                                                                            • Instruction Fuzzy Hash: C5716E75E116198FDB08DFAAC9849DEFBF2BF88300F14D16AE418AB215D734A946CF50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1070773eef0f394ad0851a38e3134fe7168f19ccea6cddc5fb4d7774cf8f1587
                                                                                                                                                                            • Instruction ID: ebd25ef2542f31737a46b5e1e7f8dba87f0288f83bd202792ffc4912e5a1ed53
                                                                                                                                                                            • Opcode Fuzzy Hash: 1070773eef0f394ad0851a38e3134fe7168f19ccea6cddc5fb4d7774cf8f1587
                                                                                                                                                                            • Instruction Fuzzy Hash: 56519275D116199FDF08DFEAC9446EEBBB2BF88300F10D02AE919AB254DB345946CF40
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 044a9d3f0d94eb5d7541d27face7e3d857e08f9acffa5a083f41f3cc09839731
                                                                                                                                                                            • Instruction ID: 81eb170b7b1bcddd998bf56cb406245dee8af8727f5d6181c17db3ad0ba6ebe8
                                                                                                                                                                            • Opcode Fuzzy Hash: 044a9d3f0d94eb5d7541d27face7e3d857e08f9acffa5a083f41f3cc09839731
                                                                                                                                                                            • Instruction Fuzzy Hash: 03517D75E006198FDB08DFAAC9846DEFBF2BF88300F14C16AE419AB315DB349946CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2063798272.0000000009240000.00000040.00000800.00020000.00000000.sdmp, Offset: 09240000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_9240000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4820a0d189deea84906c87a03ca5899045751b0f9dc607bb9f716f61a5913258
                                                                                                                                                                            • Instruction ID: 8f083d678abdd9ab38121c16d2b492d8e733bcbbce7e7a4c111f1d1ccc7b51a8
                                                                                                                                                                            • Opcode Fuzzy Hash: 4820a0d189deea84906c87a03ca5899045751b0f9dc607bb9f716f61a5913258
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F418275E006199FDB08DFEAD9956EEBBF2BF88300F14C12AD418AB254DB345946CF40
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2048216569.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_1750000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: de1cf459567b40e78c11796dcf32126e0de79ab66e5a4ce7efd9bdf6ce49528c
                                                                                                                                                                            • Instruction ID: 76892bf4cffe1ee92cfec233249f9b493c8c659537c0af8c41ca1bee6e7a0ab6
                                                                                                                                                                            • Opcode Fuzzy Hash: de1cf459567b40e78c11796dcf32126e0de79ab66e5a4ce7efd9bdf6ce49528c
                                                                                                                                                                            • Instruction Fuzzy Hash: 4121AD8FBB91D5979280A87DEDA3AEF0689AE8042C35BCD73E294EDE34C014C09755A4

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:1.4%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                                                            Signature Coverage:1.4%
                                                                                                                                                                            Total number of Nodes:556
                                                                                                                                                                            Total number of Limit Nodes:73
                                                                                                                                                                            execution_graph 99644 41f080 99647 41b930 99644->99647 99648 41b956 99647->99648 99655 409d30 99648->99655 99650 41b962 99654 41b983 99650->99654 99663 40c1b0 99650->99663 99652 41b975 99699 41a670 99652->99699 99656 409d3d 99655->99656 99702 409c80 99655->99702 99658 409d44 99656->99658 99714 409c20 99656->99714 99658->99650 99664 40c1d5 99663->99664 100133 40b1b0 99664->100133 99666 40c22c 100137 40ae30 99666->100137 99668 40c252 99698 40c4a3 99668->99698 100146 414390 99668->100146 99670 40c297 99670->99698 100149 408a60 99670->100149 99672 40c2db 99672->99698 100156 41a4c0 99672->100156 99676 40c331 99677 40c338 99676->99677 100168 419fd0 99676->100168 99678 41bd80 2 API calls 99677->99678 99680 40c345 99678->99680 99680->99652 99682 40c382 99683 41bd80 2 API calls 99682->99683 99684 40c389 99683->99684 99684->99652 99685 40c392 99686 40f490 3 API calls 99685->99686 99687 40c406 99686->99687 99687->99677 99688 40c411 99687->99688 99689 41bd80 2 API calls 99688->99689 99690 40c435 99689->99690 100173 41a020 99690->100173 99693 419fd0 2 API calls 99694 40c470 99693->99694 99694->99698 100178 419de0 99694->100178 99697 41a670 2 API calls 99697->99698 99698->99652 99700 41a68f ExitProcess 99699->99700 99701 41af20 LdrLoadDll 99699->99701 99701->99700 99733 418b80 99702->99733 99706 409ca6 99706->99656 99707 409c9c 99707->99706 99740 41b270 99707->99740 99709 409ce3 99709->99706 99751 409aa0 99709->99751 99711 409d03 99757 409620 LdrLoadDll 99711->99757 99713 409d15 99713->99656 99715 409c3a 99714->99715 99716 41b560 LdrLoadDll 99714->99716 100108 41b560 99715->100108 99716->99715 99719 41b560 LdrLoadDll 99720 409c61 99719->99720 99721 40f170 99720->99721 99722 40f189 99721->99722 100116 40b030 99722->100116 99724 40f19c 100120 41a1a0 99724->100120 99727 409d55 99727->99650 99729 40f1c2 99730 40f1ed 99729->99730 100126 41a220 99729->100126 99731 41a450 2 API calls 99730->99731 99731->99727 99734 418b8f 99733->99734 99758 414e40 99734->99758 99736 409c93 99737 418a30 99736->99737 99764 41a5c0 99737->99764 99741 41b289 99740->99741 99771 414a40 99741->99771 99743 41b2a1 99744 41b2aa 99743->99744 99810 41b0b0 99743->99810 99744->99709 99746 41b2be 99746->99744 99828 419ec0 99746->99828 100086 407ea0 99751->100086 99753 409aba 99754 409ac1 99753->99754 100099 408160 99753->100099 99754->99711 99757->99713 99759 414e5a 99758->99759 99760 414e4e 99758->99760 99759->99736 99760->99759 99763 4152c0 LdrLoadDll 99760->99763 99762 414fac 99762->99736 99763->99762 99767 41af20 99764->99767 99766 418a45 99766->99707 99768 41af30 99767->99768 99770 41af52 99767->99770 99769 414e40 LdrLoadDll 99768->99769 99769->99770 99770->99766 99772 414d75 99771->99772 99782 414a54 99771->99782 99772->99743 99775 414b80 99839 41a320 99775->99839 99776 414b63 99896 41a420 LdrLoadDll 99776->99896 99779 414b6d 99779->99743 99780 414ba7 99781 41bd80 2 API calls 99780->99781 99783 414bb3 99781->99783 99782->99772 99836 419c10 99782->99836 99783->99779 99784 414d39 99783->99784 99785 414d4f 99783->99785 99790 414c42 99783->99790 99786 41a450 2 API calls 99784->99786 99905 414780 LdrLoadDll NtReadFile NtClose 99785->99905 99787 414d40 99786->99787 99787->99743 99789 414d62 99789->99743 99791 414ca9 99790->99791 99793 414c51 99790->99793 99791->99784 99792 414cbc 99791->99792 99898 41a2a0 99792->99898 99795 414c56 99793->99795 99796 414c6a 99793->99796 99897 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 99795->99897 99798 414c87 99796->99798 99799 414c6f 99796->99799 99798->99787 99854 414400 99798->99854 99842 4146e0 99799->99842 99801 414c60 99801->99743 99804 414d1c 99902 41a450 99804->99902 99805 414c7d 99805->99743 99808 414c9f 99808->99743 99809 414d28 99809->99743 99811 41b0c1 99810->99811 99812 41b0d3 99811->99812 99923 41bd00 99811->99923 99812->99746 99814 41b0f4 99926 414060 99814->99926 99816 41b140 99816->99746 99817 41b117 99817->99816 99818 414060 3 API calls 99817->99818 99820 41b139 99818->99820 99820->99816 99958 415380 99820->99958 99821 41b1ca 99822 41b1da 99821->99822 100052 41aec0 LdrLoadDll 99821->100052 99968 41ad30 99822->99968 99825 41b208 100047 419e80 99825->100047 99829 41af20 LdrLoadDll 99828->99829 99830 419edc 99829->99830 100080 1662c0a 99830->100080 99831 419ef7 99833 41bd80 99831->99833 99834 41b319 99833->99834 100083 41a630 99833->100083 99834->99709 99837 41af20 LdrLoadDll 99836->99837 99838 414b34 99837->99838 99838->99775 99838->99776 99838->99779 99840 41af20 LdrLoadDll 99839->99840 99841 41a33c NtCreateFile 99840->99841 99841->99780 99843 4146fc 99842->99843 99844 41a2a0 LdrLoadDll 99843->99844 99845 41471d 99844->99845 99846 414724 99845->99846 99847 414738 99845->99847 99848 41a450 2 API calls 99846->99848 99849 41a450 2 API calls 99847->99849 99851 41472d 99848->99851 99850 414741 99849->99850 99906 41bf90 LdrLoadDll RtlAllocateHeap 99850->99906 99851->99805 99853 41474c 99853->99805 99855 41444b 99854->99855 99856 41447e 99854->99856 99857 41a2a0 LdrLoadDll 99855->99857 99858 4145c9 99856->99858 99862 41449a 99856->99862 99859 414466 99857->99859 99860 41a2a0 LdrLoadDll 99858->99860 99861 41a450 2 API calls 99859->99861 99866 4145e4 99860->99866 99863 41446f 99861->99863 99864 41a2a0 LdrLoadDll 99862->99864 99863->99808 99865 4144b5 99864->99865 99868 4144d1 99865->99868 99869 4144bc 99865->99869 99919 41a2e0 LdrLoadDll 99866->99919 99872 4144d6 99868->99872 99873 4144ec 99868->99873 99871 41a450 2 API calls 99869->99871 99870 41461e 99874 41a450 2 API calls 99870->99874 99875 4144c5 99871->99875 99876 41a450 2 API calls 99872->99876 99882 4144f1 99873->99882 99907 41bf50 99873->99907 99878 414629 99874->99878 99875->99808 99879 4144df 99876->99879 99877 414503 99877->99808 99878->99808 99879->99808 99882->99877 99910 41a3d0 99882->99910 99883 414557 99889 41456e 99883->99889 99918 41a260 LdrLoadDll 99883->99918 99885 414575 99887 41a450 2 API calls 99885->99887 99886 41458a 99888 41a450 2 API calls 99886->99888 99887->99877 99890 414593 99888->99890 99889->99885 99889->99886 99891 4145bf 99890->99891 99913 41bb50 99890->99913 99891->99808 99893 4145aa 99894 41bd80 2 API calls 99893->99894 99895 4145b3 99894->99895 99895->99808 99896->99779 99897->99801 99899 41af20 LdrLoadDll 99898->99899 99900 414d04 99898->99900 99899->99900 99901 41a2e0 LdrLoadDll 99900->99901 99901->99804 99903 41a46c NtClose 99902->99903 99904 41af20 LdrLoadDll 99902->99904 99903->99809 99904->99903 99905->99789 99906->99853 99920 41a5f0 99907->99920 99909 41bf68 99909->99882 99911 41af20 LdrLoadDll 99910->99911 99912 41a3ec NtReadFile 99911->99912 99912->99883 99914 41bb74 99913->99914 99915 41bb5d 99913->99915 99914->99893 99915->99914 99916 41bf50 2 API calls 99915->99916 99917 41bb8b 99916->99917 99917->99893 99918->99889 99919->99870 99921 41af20 LdrLoadDll 99920->99921 99922 41a60c RtlAllocateHeap 99921->99922 99922->99909 100053 41a500 99923->100053 99925 41bd2d 99925->99814 99927 414071 99926->99927 99928 414079 99926->99928 99927->99817 99957 41434c 99928->99957 100056 41cef0 99928->100056 99930 4140cd 99931 41cef0 2 API calls 99930->99931 99935 4140d8 99931->99935 99932 414126 99934 41cef0 2 API calls 99932->99934 99938 41413a 99934->99938 99935->99932 99936 41d020 3 API calls 99935->99936 100067 41cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 99935->100067 99936->99935 99937 414197 99939 41cef0 2 API calls 99937->99939 99938->99937 100061 41d020 99938->100061 99941 4141ad 99939->99941 99942 4141ea 99941->99942 99944 41d020 3 API calls 99941->99944 99943 41cef0 2 API calls 99942->99943 99945 4141f5 99943->99945 99944->99941 99946 41d020 3 API calls 99945->99946 99952 41422f 99945->99952 99946->99945 99948 414324 100069 41cf50 LdrLoadDll RtlFreeHeap 99948->100069 99950 41432e 100070 41cf50 LdrLoadDll RtlFreeHeap 99950->100070 100068 41cf50 LdrLoadDll RtlFreeHeap 99952->100068 99953 414338 100071 41cf50 LdrLoadDll RtlFreeHeap 99953->100071 99955 414342 100072 41cf50 LdrLoadDll RtlFreeHeap 99955->100072 99957->99817 99959 415391 99958->99959 99960 414a40 8 API calls 99959->99960 99961 4153a7 99960->99961 99962 4153e2 99961->99962 99963 4153f5 99961->99963 99967 4153fa 99961->99967 99964 41bd80 2 API calls 99962->99964 99965 41bd80 2 API calls 99963->99965 99966 4153e7 99964->99966 99965->99967 99966->99821 99967->99821 100073 41abf0 99968->100073 99971 41abf0 LdrLoadDll 99972 41ad4d 99971->99972 99973 41abf0 LdrLoadDll 99972->99973 99974 41ad56 99973->99974 99975 41abf0 LdrLoadDll 99974->99975 99976 41ad5f 99975->99976 99977 41abf0 LdrLoadDll 99976->99977 99978 41ad68 99977->99978 99979 41abf0 LdrLoadDll 99978->99979 99980 41ad71 99979->99980 99981 41abf0 LdrLoadDll 99980->99981 99982 41ad7d 99981->99982 99983 41abf0 LdrLoadDll 99982->99983 99984 41ad86 99983->99984 99985 41abf0 LdrLoadDll 99984->99985 99986 41ad8f 99985->99986 99987 41abf0 LdrLoadDll 99986->99987 99988 41ad98 99987->99988 99989 41abf0 LdrLoadDll 99988->99989 99990 41ada1 99989->99990 99991 41abf0 LdrLoadDll 99990->99991 99992 41adaa 99991->99992 99993 41abf0 LdrLoadDll 99992->99993 99994 41adb6 99993->99994 99995 41abf0 LdrLoadDll 99994->99995 99996 41adbf 99995->99996 99997 41abf0 LdrLoadDll 99996->99997 99998 41adc8 99997->99998 99999 41abf0 LdrLoadDll 99998->99999 100000 41add1 99999->100000 100001 41abf0 LdrLoadDll 100000->100001 100002 41adda 100001->100002 100003 41abf0 LdrLoadDll 100002->100003 100004 41ade3 100003->100004 100005 41abf0 LdrLoadDll 100004->100005 100006 41adef 100005->100006 100007 41abf0 LdrLoadDll 100006->100007 100008 41adf8 100007->100008 100009 41abf0 LdrLoadDll 100008->100009 100010 41ae01 100009->100010 100011 41abf0 LdrLoadDll 100010->100011 100012 41ae0a 100011->100012 100013 41abf0 LdrLoadDll 100012->100013 100014 41ae13 100013->100014 100015 41abf0 LdrLoadDll 100014->100015 100016 41ae1c 100015->100016 100017 41abf0 LdrLoadDll 100016->100017 100018 41ae28 100017->100018 100019 41abf0 LdrLoadDll 100018->100019 100020 41ae31 100019->100020 100021 41abf0 LdrLoadDll 100020->100021 100022 41ae3a 100021->100022 100023 41abf0 LdrLoadDll 100022->100023 100024 41ae43 100023->100024 100025 41abf0 LdrLoadDll 100024->100025 100026 41ae4c 100025->100026 100027 41abf0 LdrLoadDll 100026->100027 100028 41ae55 100027->100028 100029 41abf0 LdrLoadDll 100028->100029 100030 41ae61 100029->100030 100031 41abf0 LdrLoadDll 100030->100031 100032 41ae6a 100031->100032 100033 41abf0 LdrLoadDll 100032->100033 100034 41ae73 100033->100034 100035 41abf0 LdrLoadDll 100034->100035 100036 41ae7c 100035->100036 100037 41abf0 LdrLoadDll 100036->100037 100038 41ae85 100037->100038 100039 41abf0 LdrLoadDll 100038->100039 100040 41ae8e 100039->100040 100041 41abf0 LdrLoadDll 100040->100041 100042 41ae9a 100041->100042 100043 41abf0 LdrLoadDll 100042->100043 100044 41aea3 100043->100044 100045 41abf0 LdrLoadDll 100044->100045 100046 41aeac 100045->100046 100046->99825 100048 41af20 LdrLoadDll 100047->100048 100049 419e9c 100048->100049 100079 1662df0 LdrInitializeThunk 100049->100079 100050 419eb3 100050->99746 100052->99822 100054 41a51c NtAllocateVirtualMemory 100053->100054 100055 41af20 LdrLoadDll 100053->100055 100054->99925 100055->100054 100057 41cf00 100056->100057 100058 41cf06 100056->100058 100057->99930 100059 41bf50 2 API calls 100058->100059 100060 41cf2c 100059->100060 100060->99930 100062 41cf90 100061->100062 100063 41cfed 100062->100063 100064 41bf50 2 API calls 100062->100064 100063->99938 100065 41cfca 100064->100065 100066 41bd80 2 API calls 100065->100066 100066->100063 100067->99935 100068->99948 100069->99950 100070->99953 100071->99955 100072->99957 100074 41ac0b 100073->100074 100075 414e40 LdrLoadDll 100074->100075 100076 41ac2b 100075->100076 100077 414e40 LdrLoadDll 100076->100077 100078 41acd7 100076->100078 100077->100078 100078->99971 100079->100050 100081 1662c1f LdrInitializeThunk 100080->100081 100082 1662c11 100080->100082 100081->99831 100082->99831 100084 41af20 LdrLoadDll 100083->100084 100085 41a64c RtlFreeHeap 100084->100085 100085->99834 100087 407eb0 100086->100087 100088 407eab 100086->100088 100089 41bd00 2 API calls 100087->100089 100088->99753 100090 407ed5 100089->100090 100091 407f38 100090->100091 100092 419e80 2 API calls 100090->100092 100093 407f3e 100090->100093 100097 41bd00 2 API calls 100090->100097 100102 41a580 100090->100102 100091->99753 100092->100090 100095 407f64 100093->100095 100096 41a580 2 API calls 100093->100096 100095->99753 100098 407f55 100096->100098 100097->100090 100098->99753 100100 41a580 2 API calls 100099->100100 100101 40817e 100100->100101 100101->99711 100103 41a59c 100102->100103 100104 41af20 LdrLoadDll 100102->100104 100107 1662c70 LdrInitializeThunk 100103->100107 100104->100103 100105 41a5b3 100105->100090 100107->100105 100109 41b583 100108->100109 100112 40ace0 100109->100112 100113 40ad04 100112->100113 100114 40ad40 LdrLoadDll 100113->100114 100115 409c4b 100113->100115 100114->100115 100115->99719 100117 40b053 100116->100117 100119 40b0d0 100117->100119 100131 419c50 LdrLoadDll 100117->100131 100119->99724 100121 41af20 LdrLoadDll 100120->100121 100122 40f1ab 100121->100122 100122->99727 100123 41a790 100122->100123 100124 41a7af LookupPrivilegeValueW 100123->100124 100125 41af20 LdrLoadDll 100123->100125 100124->99729 100125->100124 100127 41a23c 100126->100127 100128 41af20 LdrLoadDll 100126->100128 100132 1662ea0 LdrInitializeThunk 100127->100132 100128->100127 100129 41a25b 100129->99730 100131->100119 100132->100129 100134 40b1b9 100133->100134 100135 40b030 LdrLoadDll 100134->100135 100136 40b1f4 100135->100136 100136->99666 100138 40ae41 100137->100138 100139 40ae3d 100137->100139 100140 40ae8c 100138->100140 100143 40ae5a 100138->100143 100139->99668 100184 419c90 LdrLoadDll 100140->100184 100142 40ae9d 100142->99668 100183 419c90 LdrLoadDll 100143->100183 100145 40ae7c 100145->99668 100147 40f490 3 API calls 100146->100147 100148 4143b6 100147->100148 100148->99670 100150 408a79 100149->100150 100185 4087a0 100149->100185 100152 4087a0 19 API calls 100150->100152 100155 408a9d 100150->100155 100153 408a8a 100152->100153 100153->100155 100203 40f700 10 API calls 100153->100203 100155->99672 100157 41af20 LdrLoadDll 100156->100157 100158 41a4dc 100157->100158 100323 1662e80 LdrInitializeThunk 100158->100323 100159 40c312 100161 40f490 100159->100161 100162 40f4ad 100161->100162 100324 419f80 100162->100324 100165 40f4f5 100165->99676 100166 419fd0 2 API calls 100167 40f51e 100166->100167 100167->99676 100169 419fec 100168->100169 100170 41af20 LdrLoadDll 100168->100170 100330 1662d10 LdrInitializeThunk 100169->100330 100170->100169 100171 40c375 100171->99682 100171->99685 100174 41af20 LdrLoadDll 100173->100174 100175 41a03c 100174->100175 100331 1662d30 LdrInitializeThunk 100175->100331 100176 40c449 100176->99693 100179 41af20 LdrLoadDll 100178->100179 100180 419dfc 100179->100180 100332 1662fb0 LdrInitializeThunk 100180->100332 100181 40c49c 100181->99697 100183->100145 100184->100142 100186 407ea0 4 API calls 100185->100186 100201 4087ba 100185->100201 100186->100201 100187 408a49 100187->100150 100188 408a3f 100189 408160 2 API calls 100188->100189 100189->100187 100192 419ec0 2 API calls 100192->100201 100194 41a450 LdrLoadDll NtClose 100194->100201 100197 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100197->100201 100200 419de0 2 API calls 100200->100201 100201->100187 100201->100188 100201->100192 100201->100194 100201->100197 100201->100200 100204 419cd0 100201->100204 100208 4085d0 100201->100208 100220 40f5e0 LdrLoadDll NtClose 100201->100220 100221 419d50 LdrLoadDll 100201->100221 100222 419d80 LdrLoadDll 100201->100222 100223 419e10 LdrLoadDll 100201->100223 100224 4083a0 100201->100224 100240 405f60 LdrLoadDll 100201->100240 100203->100155 100205 419cdf 100204->100205 100206 41af20 LdrLoadDll 100205->100206 100207 419cec 100206->100207 100207->100201 100209 4085e6 100208->100209 100241 419840 100209->100241 100211 4085ff 100216 408771 100211->100216 100262 4081a0 100211->100262 100213 4086e5 100214 4083a0 11 API calls 100213->100214 100213->100216 100215 408713 100214->100215 100215->100216 100217 419ec0 2 API calls 100215->100217 100216->100201 100218 408748 100217->100218 100218->100216 100219 41a4c0 2 API calls 100218->100219 100219->100216 100220->100201 100221->100201 100222->100201 100223->100201 100225 4083c9 100224->100225 100302 408310 100225->100302 100227 4083dc 100229 41a4c0 2 API calls 100227->100229 100230 408467 100227->100230 100231 408462 100227->100231 100310 40f660 100227->100310 100229->100227 100230->100201 100232 41a450 2 API calls 100231->100232 100233 40849a 100232->100233 100233->100230 100234 419cd0 LdrLoadDll 100233->100234 100235 4084ff 100234->100235 100235->100230 100314 419d10 100235->100314 100237 408563 100237->100230 100238 414a40 8 API calls 100237->100238 100239 4085b8 100238->100239 100239->100201 100240->100201 100242 41bf50 2 API calls 100241->100242 100243 419857 100242->100243 100269 409310 100243->100269 100245 419872 100246 4198b0 100245->100246 100247 419899 100245->100247 100249 41bd00 2 API calls 100246->100249 100248 41bd80 2 API calls 100247->100248 100250 4198a6 100248->100250 100251 4198ea 100249->100251 100250->100211 100252 41bd00 2 API calls 100251->100252 100253 419903 100252->100253 100259 419ba4 100253->100259 100275 41bd40 100253->100275 100256 419b90 100257 41bd80 2 API calls 100256->100257 100258 419b9a 100257->100258 100258->100211 100260 41bd80 2 API calls 100259->100260 100261 419bf9 100260->100261 100261->100211 100263 40829f 100262->100263 100264 4081b5 100262->100264 100263->100213 100264->100263 100265 414a40 8 API calls 100264->100265 100266 408222 100265->100266 100267 41bd80 2 API calls 100266->100267 100268 408249 100266->100268 100267->100268 100268->100213 100270 409335 100269->100270 100271 40ace0 LdrLoadDll 100270->100271 100272 409368 100271->100272 100274 40938d 100272->100274 100278 40cf10 100272->100278 100274->100245 100296 41a540 100275->100296 100279 40cf3c 100278->100279 100280 41a1a0 LdrLoadDll 100279->100280 100281 40cf55 100280->100281 100282 40cf5c 100281->100282 100289 41a1e0 100281->100289 100282->100274 100286 40cf97 100287 41a450 2 API calls 100286->100287 100288 40cfba 100287->100288 100288->100274 100290 41a1fc 100289->100290 100291 41af20 LdrLoadDll 100289->100291 100295 1662ca0 LdrInitializeThunk 100290->100295 100291->100290 100292 40cf7f 100292->100282 100294 41a7d0 LdrLoadDll 100292->100294 100294->100286 100295->100292 100297 41af20 LdrLoadDll 100296->100297 100298 41a55c 100297->100298 100301 1662f90 LdrInitializeThunk 100298->100301 100299 419b89 100299->100256 100299->100259 100301->100299 100303 408328 100302->100303 100304 40ace0 LdrLoadDll 100303->100304 100305 408343 100303->100305 100304->100305 100306 414e40 LdrLoadDll 100305->100306 100307 408353 100306->100307 100308 40835c PostThreadMessageW 100307->100308 100309 408370 100307->100309 100308->100309 100309->100227 100311 40f673 100310->100311 100317 419e50 100311->100317 100315 419d2c 100314->100315 100316 41af20 LdrLoadDll 100314->100316 100315->100237 100316->100315 100318 419e6c 100317->100318 100319 41af20 LdrLoadDll 100317->100319 100322 1662dd0 LdrInitializeThunk 100318->100322 100319->100318 100320 40f69e 100320->100227 100322->100320 100323->100159 100325 419f9c 100324->100325 100326 41af20 LdrLoadDll 100324->100326 100329 1662f30 LdrInitializeThunk 100325->100329 100326->100325 100327 40f4ee 100327->100165 100327->100166 100329->100327 100330->100171 100331->100176 100332->100181 100336 1662ad0 LdrInitializeThunk

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 41a3d0-41a419 call 41af20 NtReadFile
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                            • String ID: !JA$bMA$bMA
                                                                                                                                                                            • API String ID: 2738559852-4222312340
                                                                                                                                                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                            • Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
                                                                                                                                                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                            • Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 268 40ace0-40acfc 269 40ad04-40ad09 268->269 270 40acff call 41cc10 268->270 271 40ad0b-40ad0e 269->271 272 40ad0f-40ad1d call 41d030 269->272 270->269 275 40ad2d-40ad3e call 41b460 272->275 276 40ad1f-40ad2a call 41d2b0 272->276 281 40ad40-40ad54 LdrLoadDll 275->281 282 40ad57-40ad5a 275->282 276->275 281->282
                                                                                                                                                                            APIs
                                                                                                                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Load
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2234796835-0
                                                                                                                                                                            • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                            • Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
                                                                                                                                                                            • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                            • Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 283 41a320-41a371 call 41af20 NtCreateFile
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                            • Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
                                                                                                                                                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                            • Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 286 41a500-41a516 287 41a51c-41a53d NtAllocateVirtualMemory 286->287 288 41a517 call 41af20 286->288 288->287
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateMemoryVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2167126740-0
                                                                                                                                                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                            • Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
                                                                                                                                                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                            • Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 289 41a4fb-41a53d call 41af20 NtAllocateVirtualMemory
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateMemoryVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2167126740-0
                                                                                                                                                                            • Opcode ID: aaf07d7c655785086d8b5f0a451b4062681b2a67c108c2b33990bb495246c866
                                                                                                                                                                            • Instruction ID: 94507bbf397dcc5c3ac71cc5815c082cb0521fc5d078fd0b1a8f82b8904cbc8a
                                                                                                                                                                            • Opcode Fuzzy Hash: aaf07d7c655785086d8b5f0a451b4062681b2a67c108c2b33990bb495246c866
                                                                                                                                                                            • Instruction Fuzzy Hash: 48F030B62001496BCB15DF98DC85CA777A9BF88214B15865EFD489B203C634D865CBA0
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Close
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3535843008-0
                                                                                                                                                                            • Opcode ID: 3633968ca4f3d3abc0fc2ebd89152368de9531e50e60495f0fab90ebf612694e
                                                                                                                                                                            • Instruction ID: 85268407bda5badd3f005600f786efbf3729bfdc64a558162e38e0f63659b094
                                                                                                                                                                            • Opcode Fuzzy Hash: 3633968ca4f3d3abc0fc2ebd89152368de9531e50e60495f0fab90ebf612694e
                                                                                                                                                                            • Instruction Fuzzy Hash: 00E0C272200204AFDB20DFA9DC89FEB7B68EF44364F14455AFA0CDB282C531E6118B90
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Close
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3535843008-0
                                                                                                                                                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                            • Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                            • Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: ccb6725167cf3c6fcc5f46eae2291cf729cf734ab64d7158a4eff0fe6b893c86
                                                                                                                                                                            • Instruction ID: c094ff774621442249ccdcac35c2955db6d1e2b771fcc15579f40e1bd43956a3
                                                                                                                                                                            • Opcode Fuzzy Hash: ccb6725167cf3c6fcc5f46eae2291cf729cf734ab64d7158a4eff0fe6b893c86
                                                                                                                                                                            • Instruction Fuzzy Hash: 1D90026120240003410575584818617400E97E0201B55C131E5014690EC5258D916225
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 69a36abefe46d9a1aa9cd6432f09e5cc93e9e2ff33ae8a20f84b353b267e25f5
                                                                                                                                                                            • Instruction ID: c6849e1bfd3c8cf7815ecd82bb5a9ea22b1dd29454d0924a70bef014fda25150
                                                                                                                                                                            • Opcode Fuzzy Hash: 69a36abefe46d9a1aa9cd6432f09e5cc93e9e2ff33ae8a20f84b353b267e25f5
                                                                                                                                                                            • Instruction Fuzzy Hash: 1490023120140802D1807558480864B000997D1301F95C125A4025754ECA158F5977A1
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: e93b157703c2a8edba07a0835b37a589a07f98f219307276279df38eaed497fb
                                                                                                                                                                            • Instruction ID: 22a0c5602167dc04f56710278e5ac1d60890ac0f729e9f2b723f2e14867e28d5
                                                                                                                                                                            • Opcode Fuzzy Hash: e93b157703c2a8edba07a0835b37a589a07f98f219307276279df38eaed497fb
                                                                                                                                                                            • Instruction Fuzzy Hash: C6900435311400030105FD5C0F0C507004FD7D5351355C131F5015750DD731CD715331
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 57ed11ce04f73bae528b7a15e76a5fb5af136af5a6cfa2209e91dc89003f109f
                                                                                                                                                                            • Instruction ID: 077264464a19b4303da0f0ba24ea8771e0188bf338d04d41d1381306e3ec3074
                                                                                                                                                                            • Opcode Fuzzy Hash: 57ed11ce04f73bae528b7a15e76a5fb5af136af5a6cfa2209e91dc89003f109f
                                                                                                                                                                            • Instruction Fuzzy Hash: 5990022130140003D1407558581C6074009E7E1301F55D121E4414654DD9158D565322
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: d18123388768f473314c7a4bc8a621c4c3a1f57f6425e76d0d7f97cc49e09338
                                                                                                                                                                            • Instruction ID: 23c44f9f7c0ccdde50e8a47e1582190f4d1dc869a6600f3b7a53e985c6ab7b2d
                                                                                                                                                                            • Opcode Fuzzy Hash: d18123388768f473314c7a4bc8a621c4c3a1f57f6425e76d0d7f97cc49e09338
                                                                                                                                                                            • Instruction Fuzzy Hash: A290022921340002D1807558580C60B000997D1202F95D525A4015658DC9158D695321
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: b1275f5b4134a9eabfff8456f208cd0bd0f5a29d9aba5dd2adebfcf7deae027b
                                                                                                                                                                            • Instruction ID: 01099398d30b42247e3df16b17c272a8bb82719c0f9b863466386cdee242d7ec
                                                                                                                                                                            • Opcode Fuzzy Hash: b1275f5b4134a9eabfff8456f208cd0bd0f5a29d9aba5dd2adebfcf7deae027b
                                                                                                                                                                            • Instruction Fuzzy Hash: AB90023120140413D11175584908707000D97D0241F95C522A4424658ED6568E52A221
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 3340b977abc0a125eb1d30446df286bb8c406af4b03142260aee87f5857f63db
                                                                                                                                                                            • Instruction ID: 9092915bf9b2b0314d6c4f44d434a8849fcda06ff662cf15e2b9e3beb717f164
                                                                                                                                                                            • Opcode Fuzzy Hash: 3340b977abc0a125eb1d30446df286bb8c406af4b03142260aee87f5857f63db
                                                                                                                                                                            • Instruction Fuzzy Hash: 8E900221242441525545B5584808507400AA7E0241795C122A5414A50DC5269D56D721
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 7ca7b8c27e3b85ab1a0cfbbc4a53b0f63c82ae3d7ca6e55d84049a62e1547f0c
                                                                                                                                                                            • Instruction ID: 8973fd18af62722bdd88b5a23aa77d3e606dfabfa1f0fd2dadebea27c8fbdbdc
                                                                                                                                                                            • Opcode Fuzzy Hash: 7ca7b8c27e3b85ab1a0cfbbc4a53b0f63c82ae3d7ca6e55d84049a62e1547f0c
                                                                                                                                                                            • Instruction Fuzzy Hash: F190023120148802D1107558880874B000997D0301F59C521A8424758EC6958D917221
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: ae21458706c8cfc987989e26298a1388cce1e368ccc0b41b065301feddffc57b
                                                                                                                                                                            • Instruction ID: 0f9aa48dc1d1c748ba24fd6d056fac7becae8afbb45ecd7bf4f8f4db6008dd1b
                                                                                                                                                                            • Opcode Fuzzy Hash: ae21458706c8cfc987989e26298a1388cce1e368ccc0b41b065301feddffc57b
                                                                                                                                                                            • Instruction Fuzzy Hash: 3690023120140402D1007998580C647000997E0301F55D121A9024655FC6658D916231
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: cd2b905cef66ad6a07b87ea3a770047ca010ce8a26a738e073bc989f41f91d20
                                                                                                                                                                            • Instruction ID: a8a622882e7305bc52a6ecbf61ce57e479468eff335fd8617a0820ab1c71a580
                                                                                                                                                                            • Opcode Fuzzy Hash: cd2b905cef66ad6a07b87ea3a770047ca010ce8a26a738e073bc989f41f91d20
                                                                                                                                                                            • Instruction Fuzzy Hash: 2690026134140442D10075584818B070009D7E1301F55C125E5064654EC619CD526226
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 09a276320106d45e2f1116ec997258b03398b2108c07911e1bface4d6df402b4
                                                                                                                                                                            • Instruction ID: c1b14f7557f880ec428c1de71a6eff494f0090edb1a17938333871d27bef3753
                                                                                                                                                                            • Opcode Fuzzy Hash: 09a276320106d45e2f1116ec997258b03398b2108c07911e1bface4d6df402b4
                                                                                                                                                                            • Instruction Fuzzy Hash: 71900221211C0042D20079684C18B07000997D0303F55C225A4154654DC9158D615621
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: a709a8b62622e0cd41b5351a4dccd56adef63b108c3473c6b3fa70fea500bea7
                                                                                                                                                                            • Instruction ID: ccae4fdb42f9bdcf6bc8ffd2f993fdb2c939bc55f91398df76c5896a7296b46f
                                                                                                                                                                            • Opcode Fuzzy Hash: a709a8b62622e0cd41b5351a4dccd56adef63b108c3473c6b3fa70fea500bea7
                                                                                                                                                                            • Instruction Fuzzy Hash: 8890022160140042414075688C489074009BBE1211755C231A4998650EC5598D655765
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 628dda09b86533d8452499ada396680227262830ad24452897e47d6e737e6ad5
                                                                                                                                                                            • Instruction ID: 8e3bd5dde2208af87f2cde39045525fa13dfe0f9ddd9418f29816b31d6598206
                                                                                                                                                                            • Opcode Fuzzy Hash: 628dda09b86533d8452499ada396680227262830ad24452897e47d6e737e6ad5
                                                                                                                                                                            • Instruction Fuzzy Hash: 0090023120180402D10075584C1870B000997D0302F55C121A5164655EC6258D516671
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 6eefed697dc7baac61e392c7d45b1c304182fdb8af345db80c3faabc59ac4dc2
                                                                                                                                                                            • Instruction ID: 577adceda164299ae625314c4a374c6e25363ad44c8e2849a63a6511d0c8ee05
                                                                                                                                                                            • Opcode Fuzzy Hash: 6eefed697dc7baac61e392c7d45b1c304182fdb8af345db80c3faabc59ac4dc2
                                                                                                                                                                            • Instruction Fuzzy Hash: 6590027120140402D14075584808747000997D0301F55C121A9064654FC6598ED56765
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: c18c85a2a4449529f2e95d2012287dac07077f080482b6f20e5403bfcbc632c3
                                                                                                                                                                            • Instruction ID: 190e5d8c0731743c04a734760077fd6fbc74101c49768f65093c7f9ad80c4862
                                                                                                                                                                            • Opcode Fuzzy Hash: c18c85a2a4449529f2e95d2012287dac07077f080482b6f20e5403bfcbc632c3
                                                                                                                                                                            • Instruction Fuzzy Hash: AE90022160140502D10175584808617000E97D0241F95C132A5024655FCA258E92A231
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                                                                            • Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
                                                                                                                                                                            • Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                                                                            • Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 3 41a5f0-41a621 call 41af20 RtlAllocateHeap
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                            • String ID: &EA
                                                                                                                                                                            • API String ID: 1279760036-1330915590
                                                                                                                                                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                            • Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                            • Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 202 4082d4-4082d8 203 408331-408343 call 40ace0 202->203 204 4082da-4082db 202->204 206 408347-40835a call 414e40 203->206 204->206 207 4082dd-4082fd call 41b860 call 41b710 204->207 214 40835c-40836e PostThreadMessageW 206->214 215 40838e-408392 206->215 217 408370-40838a call 40a470 214->217 218 40838d 214->218 217->218 218->215
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: 0c5670ac6251c0a60da8687f5d77d26f275b51540f007e75c674e4efe23d972f
                                                                                                                                                                            • Instruction ID: 19c01656c3898c69e84ee8908718035e3049677ab4d7dde92baba569fadc05e3
                                                                                                                                                                            • Opcode Fuzzy Hash: 0c5670ac6251c0a60da8687f5d77d26f275b51540f007e75c674e4efe23d972f
                                                                                                                                                                            • Instruction Fuzzy Hash: 50012D3164031C77E711B5615C02FEE7358AB84B54F09017EFE44FB2C1DAB96D0642E9

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 221 40830c-40833d call 41be20 call 41c9c0 226 408343-40835a call 414e40 221->226 227 40833e call 40ace0 221->227 231 40835c-40836e PostThreadMessageW 226->231 232 40838e-408392 226->232 227->226 233 408370-40838a call 40a470 231->233 234 40838d 231->234 233->234 234->232
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: 19c66865f75542f675f54a46dd6cd54def56d3851c5970707138c9339e0e24a1
                                                                                                                                                                            • Instruction ID: 8733b47f60013285a8807cb7a5d81815fd96b1e7676cb7f4731c5b02c55d18d7
                                                                                                                                                                            • Opcode Fuzzy Hash: 19c66865f75542f675f54a46dd6cd54def56d3851c5970707138c9339e0e24a1
                                                                                                                                                                            • Instruction Fuzzy Hash: 7601D871A803187AE720A6918C03FFE6B1C9B41B55F05016EFF04FA1C1D6A9290647E9

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 237 408310-40831f 238 408328-40833d call 41c9c0 237->238 239 408323 call 41be20 237->239 242 408343-40835a call 414e40 238->242 243 40833e call 40ace0 238->243 239->238 247 40835c-40836e PostThreadMessageW 242->247 248 40838e-408392 242->248 243->242 249 408370-40838a call 40a470 247->249 250 40838d 247->250 249->250 250->248
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                                                                            • Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
                                                                                                                                                                            • Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                                                                            • Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 253 408393-408394 255 408333-40833d 253->255 256 40832e call 41c9c0 253->256 257 408343-40835a call 414e40 255->257 258 40833e call 40ace0 255->258 256->255 262 40835c-40836e PostThreadMessageW 257->262 263 40838e-408392 257->263 258->257 264 408370-40838a call 40a470 262->264 265 40838d 262->265 264->265 265->263
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: 8c991781031f8c6d473ebbd6a23dc71827103370b9fd2e7a6c452dfc9f5126f3
                                                                                                                                                                            • Instruction ID: 3e3665392b07dc50b903ca1482a20c39a0d8d9c50d14a314250b7dbfb1e47f4d
                                                                                                                                                                            • Opcode Fuzzy Hash: 8c991781031f8c6d473ebbd6a23dc71827103370b9fd2e7a6c452dfc9f5126f3
                                                                                                                                                                            • Instruction Fuzzy Hash: 2DF02271A8032877E7206A544C02FFF27185B81F14F09016EFE84FA1C1DABE690202EA

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 292 41a781-41a7aa call 41af20 294 41a7af-41a7c4 LookupPrivilegeValueW 292->294
                                                                                                                                                                            APIs
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                                                            • Opcode ID: 6f60b12bae23740ddff04b9b2a435f9d619a484c6c9bb8091acf3cd8a9da8c8a
                                                                                                                                                                            • Instruction ID: f7a5976cd5a0d784b45962738d5861c56f65e69eb5b5f090e7fa20213427d3ba
                                                                                                                                                                            • Opcode Fuzzy Hash: 6f60b12bae23740ddff04b9b2a435f9d619a484c6c9bb8091acf3cd8a9da8c8a
                                                                                                                                                                            • Instruction Fuzzy Hash: 10F0EDB2200204ABDB24DF55DC85EE733A9EF89318F1080AEF90D6B241CA35E805CBB0

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 295 41a630-41a661 call 41af20 RtlFreeHeap
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3298025750-0
                                                                                                                                                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                            • Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
                                                                                                                                                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                            • Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 298 41a790-41a7a9 299 41a7af-41a7c4 LookupPrivilegeValueW 298->299 300 41a7aa call 41af20 298->300 300->299
                                                                                                                                                                            APIs
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                            • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                                                                                                                                                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                            • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                                                                            APIs
                                                                                                                                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                            • Opcode ID: 9379220829e3c419878ff4888d194fe66dd23624891254af377271388a777a72
                                                                                                                                                                            • Instruction ID: fd19ce839db182b36b6e96dd962a584e924bd8999524a3a1af9ee6c2b89418f0
                                                                                                                                                                            • Opcode Fuzzy Hash: 9379220829e3c419878ff4888d194fe66dd23624891254af377271388a777a72
                                                                                                                                                                            • Instruction Fuzzy Hash: ECE08C716012047BC320DFA8CC85FC73BA99F48754F11846AF96D6B241C530EA008BE1
                                                                                                                                                                            APIs
                                                                                                                                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                            • Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
                                                                                                                                                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                            • Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 3364a28f73ae512255cba0dc6375d1e624772231679d2937612495fb76eb69cd
                                                                                                                                                                            • Instruction ID: ed04d65438d043016408d079d6d25e8f8396ab6dfcbe044dfe025994d13a91ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 3364a28f73ae512255cba0dc6375d1e624772231679d2937612495fb76eb69cd
                                                                                                                                                                            • Instruction Fuzzy Hash: 16B09B719015C5C9DB51F7644E0C717790477D0701F15C175D6030751F4738C5D1E275
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-2160512332
                                                                                                                                                                            • Opcode ID: 6a1b77d8a0e9f5eaa33adff1ad6c1bb7629a9ba4623dd4ca4095750ed92191e9
                                                                                                                                                                            • Instruction ID: 2eed2a66f7b874528d3001fed460f260983ad90ae624c5de66e018a8a2708a28
                                                                                                                                                                            • Opcode Fuzzy Hash: 6a1b77d8a0e9f5eaa33adff1ad6c1bb7629a9ba4623dd4ca4095750ed92191e9
                                                                                                                                                                            • Instruction Fuzzy Hash: A6929971688342ABE721CE28CC90B6BBBE9BB84754F44482DFA9597351D770EC44CF92
                                                                                                                                                                            Strings
                                                                                                                                                                            • Invalid debug info address of this critical section, xrefs: 016954B6
                                                                                                                                                                            • Critical section address, xrefs: 01695425, 016954BC, 01695534
                                                                                                                                                                            • Critical section debug info address, xrefs: 0169541F, 0169552E
                                                                                                                                                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016954CE
                                                                                                                                                                            • corrupted critical section, xrefs: 016954C2
                                                                                                                                                                            • Critical section address., xrefs: 01695502
                                                                                                                                                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0169540A, 01695496, 01695519
                                                                                                                                                                            • double initialized or corrupted critical section, xrefs: 01695508
                                                                                                                                                                            • Thread is in a state in which it cannot own a critical section, xrefs: 01695543
                                                                                                                                                                            • undeleted critical section in freed memory, xrefs: 0169542B
                                                                                                                                                                            • 8, xrefs: 016952E3
                                                                                                                                                                            • Thread identifier, xrefs: 0169553A
                                                                                                                                                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016954E2
                                                                                                                                                                            • Address of the debug info found in the active list., xrefs: 016954AE, 016954FA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                                            • API String ID: 0-2368682639
                                                                                                                                                                            • Opcode ID: 785699c228474fffb78364bc0ea53687cf395abe7ddca3b1f73f3c538e3d8995
                                                                                                                                                                            • Instruction ID: 8994ba9d461c7da84f86bb1280a13b37959cc491b21b28ff538c93cd1f6d9a25
                                                                                                                                                                            • Opcode Fuzzy Hash: 785699c228474fffb78364bc0ea53687cf395abe7ddca3b1f73f3c538e3d8995
                                                                                                                                                                            • Instruction Fuzzy Hash: A0819AB1E01358AFDF26CF99CC41BAEBBB9EB48710F10415AF506B7681D3B5A941CB60
                                                                                                                                                                            Strings
                                                                                                                                                                            • RtlpResolveAssemblyStorageMapEntry, xrefs: 0169261F
                                                                                                                                                                            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01692498
                                                                                                                                                                            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016924C0
                                                                                                                                                                            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01692602
                                                                                                                                                                            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01692409
                                                                                                                                                                            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01692412
                                                                                                                                                                            • @, xrefs: 0169259B
                                                                                                                                                                            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016922E4
                                                                                                                                                                            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016925EB
                                                                                                                                                                            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01692624
                                                                                                                                                                            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01692506
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                                                            • API String ID: 0-4009184096
                                                                                                                                                                            • Opcode ID: 0addbda2fce9b074ce08ffa26b08aed430abe3267155031481cd85fbcb12e3a9
                                                                                                                                                                            • Instruction ID: 50477a5b079f1cc7fdc7de9d36a4a02eaa918015fe78191584f7f5ff1be26f50
                                                                                                                                                                            • Opcode Fuzzy Hash: 0addbda2fce9b074ce08ffa26b08aed430abe3267155031481cd85fbcb12e3a9
                                                                                                                                                                            • Instruction Fuzzy Hash: 480271F1D002299BDF61DB54CC90BDAB7B8AF54704F4041DEEA49A7242DB30AE85CF99
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                                                            • API String ID: 0-2515994595
                                                                                                                                                                            • Opcode ID: 1e2792530a14b62722e5c21aabb334c1ab2bbd3273eecfb7868f395b19370922
                                                                                                                                                                            • Instruction ID: 4dd67992774c87bca94494996c5272a7ec8608ba93582e4e971314c33fae4315
                                                                                                                                                                            • Opcode Fuzzy Hash: 1e2792530a14b62722e5c21aabb334c1ab2bbd3273eecfb7868f395b19370922
                                                                                                                                                                            • Instruction Fuzzy Hash: 3151AD725143119BD335DF188C44BBBBBECFF98A50F14491DEA9987241E770E605CB92
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                                                            • API String ID: 0-1700792311
                                                                                                                                                                            • Opcode ID: eaa1250881261e6ac580c6a5e7dd4f10aa2a52c2d8dfec4e771cb6ba0057a6fd
                                                                                                                                                                            • Instruction ID: 44ac22dbe00aefd5692c418cb075a0d912af376f58072904bc4d210b271a25ea
                                                                                                                                                                            • Opcode Fuzzy Hash: eaa1250881261e6ac580c6a5e7dd4f10aa2a52c2d8dfec4e771cb6ba0057a6fd
                                                                                                                                                                            • Instruction Fuzzy Hash: 61D1DD35A10686DFDB22DF68C840AADBBF2FF5A720F18805DF9469B352C7749941CB14
                                                                                                                                                                            Strings
                                                                                                                                                                            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 016A8A67
                                                                                                                                                                            • VerifierDlls, xrefs: 016A8CBD
                                                                                                                                                                            • VerifierDebug, xrefs: 016A8CA5
                                                                                                                                                                            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 016A8A3D
                                                                                                                                                                            • AVRF: -*- final list of providers -*- , xrefs: 016A8B8F
                                                                                                                                                                            • VerifierFlags, xrefs: 016A8C50
                                                                                                                                                                            • HandleTraces, xrefs: 016A8C8F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                                                            • API String ID: 0-3223716464
                                                                                                                                                                            • Opcode ID: f9b51af734a1837f3bee85562cc6d9e22a31951cf80dc929e7e67eff0eabbdda
                                                                                                                                                                            • Instruction ID: 48a7302cf29a48ba59118e43c03b7e11610c999f4981a013c636d59cef2a29e5
                                                                                                                                                                            • Opcode Fuzzy Hash: f9b51af734a1837f3bee85562cc6d9e22a31951cf80dc929e7e67eff0eabbdda
                                                                                                                                                                            • Instruction Fuzzy Hash: 539156B2645302AFD326EF6CCC90B5BBBE9AB95724F84445CFA426B240C7709D01CF99
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-792281065
                                                                                                                                                                            • Opcode ID: 76746f02d1e4142bd119b802e9892be6deebcaa499b140034f286a70b4244438
                                                                                                                                                                            • Instruction ID: ee014a96e8cb5ad270e7316f341e71a211a805a4ece796aca13e4a4a7b885772
                                                                                                                                                                            • Opcode Fuzzy Hash: 76746f02d1e4142bd119b802e9892be6deebcaa499b140034f286a70b4244438
                                                                                                                                                                            • Instruction Fuzzy Hash: EC914770B013129BDF39DF58DD94BAA7BAABF41B34F40816CE9016B385DB709842C794
                                                                                                                                                                            Strings
                                                                                                                                                                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01679A2A
                                                                                                                                                                            • LdrpInitShimEngine, xrefs: 016799F4, 01679A07, 01679A30
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 01679A11, 01679A3A
                                                                                                                                                                            • apphelp.dll, xrefs: 01616496
                                                                                                                                                                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01679A01
                                                                                                                                                                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016799ED
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-204845295
                                                                                                                                                                            • Opcode ID: 6b0ef37530f6adfc620fb89a308784897d54a279798f9c43636cc4b5a65f56a2
                                                                                                                                                                            • Instruction ID: 0f85633c8adf0777c03b097af34fc3bb54f5bc783f4fe9970db0082ec51c0e7b
                                                                                                                                                                            • Opcode Fuzzy Hash: 6b0ef37530f6adfc620fb89a308784897d54a279798f9c43636cc4b5a65f56a2
                                                                                                                                                                            • Instruction Fuzzy Hash: 0C51E1712083019FE725EF28CC91A6B77E9FF84768F04491DE985972A4DB70E944CB92
                                                                                                                                                                            Strings
                                                                                                                                                                            • RtlGetAssemblyStorageRoot, xrefs: 01692160, 0169219A, 016921BA
                                                                                                                                                                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0169219F
                                                                                                                                                                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01692178
                                                                                                                                                                            • SXS: %s() passed the empty activation context, xrefs: 01692165
                                                                                                                                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016921BF
                                                                                                                                                                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01692180
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                                            • API String ID: 0-861424205
                                                                                                                                                                            • Opcode ID: 59eac647a97c6b4e53b377dfeef0ddf3e1ea80861bcce05535e163657380da44
                                                                                                                                                                            • Instruction ID: d0f60609bb4faeeeca29bbf3fd6feee4ca54ba8b4a4ed42a1b9f5ef82192c684
                                                                                                                                                                            • Opcode Fuzzy Hash: 59eac647a97c6b4e53b377dfeef0ddf3e1ea80861bcce05535e163657380da44
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A314876F00215B7EB22CA998CA1F6B7B7DEB65A41F05406DFF0567240D370AE01C7A1
                                                                                                                                                                            Strings
                                                                                                                                                                            • LdrpInitializeImportRedirection, xrefs: 01698177, 016981EB
                                                                                                                                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 01698181, 016981F5
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 0165C6C3
                                                                                                                                                                            • LdrpInitializeProcess, xrefs: 0165C6C4
                                                                                                                                                                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 016981E5
                                                                                                                                                                            • Loading import redirection DLL: '%wZ', xrefs: 01698170
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                            • API String ID: 0-475462383
                                                                                                                                                                            • Opcode ID: a62e0cc2a47c144a0a07605006b1bb50714e6c1289969970553d058225b94282
                                                                                                                                                                            • Instruction ID: 86a7cd99d0e35456778b4412876b222dd92d98a3d03b9a3a3e2442e0d9cd26ad
                                                                                                                                                                            • Opcode Fuzzy Hash: a62e0cc2a47c144a0a07605006b1bb50714e6c1289969970553d058225b94282
                                                                                                                                                                            • Instruction Fuzzy Hash: E13122B1644306AFD325EF28DC46E2A779AFF95B20F04055CFD45AB391E660EC04C7A6
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 01662DF0: LdrInitializeThunk.NTDLL ref: 01662DFA
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660BA3
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660BB6
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660D60
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01660D74
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1404860816-0
                                                                                                                                                                            • Opcode ID: 54ab76e53b756ff0c69347b5fd065d88283ce04f789416c4a663d725021a018b
                                                                                                                                                                            • Instruction ID: c78c349a46ba9bf35a2b814d350ceb4eaf3a89747f25f847d5e7a9a69c508312
                                                                                                                                                                            • Opcode Fuzzy Hash: 54ab76e53b756ff0c69347b5fd065d88283ce04f789416c4a663d725021a018b
                                                                                                                                                                            • Instruction Fuzzy Hash: B54239759007159FDB21CF68CC80BAAB7F9BF44314F1445AEE989AB241E770AA85CF60
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2108333509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_400000_Bank swift.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: C$a$b$d$i
                                                                                                                                                                            • API String ID: 0-2334916691
                                                                                                                                                                            • Opcode ID: c6eeb8cbc03640a193bfc6d0d3d9de1308857fb69640405d2970f7d05852a2de
                                                                                                                                                                            • Instruction ID: d22940d51a10411b06836f79c6bd71cc5d1668cdd9c9a6b15b5d7c4882908401
                                                                                                                                                                            • Opcode Fuzzy Hash: c6eeb8cbc03640a193bfc6d0d3d9de1308857fb69640405d2970f7d05852a2de
                                                                                                                                                                            • Instruction Fuzzy Hash: 1C319EB1E04208AAEB14DFA1EC85FEEB7B8EF45308F00451EE518A7241E77965418BA9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                                            • API String ID: 0-379654539
                                                                                                                                                                            • Opcode ID: d6ac719d08df932bdebf4407be4bb1339b50a361af7dd5e244537080d4afe990
                                                                                                                                                                            • Instruction ID: aed819404688b28ebe655d5509301966b87b0f45c0d30406147a4eaba5da056d
                                                                                                                                                                            • Opcode Fuzzy Hash: d6ac719d08df932bdebf4407be4bb1339b50a361af7dd5e244537080d4afe990
                                                                                                                                                                            • Instruction Fuzzy Hash: 2DC1AA701087928FD721DF98C940B6AB7E5BF84304F04896EF9859BB50E3B4C94ACF56
                                                                                                                                                                            Strings
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 01658421
                                                                                                                                                                            • LdrpInitializeProcess, xrefs: 01658422
                                                                                                                                                                            • @, xrefs: 01658591
                                                                                                                                                                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0165855E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-1918872054
                                                                                                                                                                            • Opcode ID: 58a84b655b1941d5020dfb45a1f7e6595ea3914ed03924f843ccdf691801fff3
                                                                                                                                                                            • Instruction ID: bf41b6cf54e710b9422abd702caced4621730166137709d462cb4f86abc11382
                                                                                                                                                                            • Opcode Fuzzy Hash: 58a84b655b1941d5020dfb45a1f7e6595ea3914ed03924f843ccdf691801fff3
                                                                                                                                                                            • Instruction Fuzzy Hash: EA918B71508345AFDB62DE26CC80FABBAEDFB84658F40092EFA8597151E730D904CB66
                                                                                                                                                                            Strings
                                                                                                                                                                            • SXS: %s() passed the empty activation context, xrefs: 016921DE
                                                                                                                                                                            • .Local, xrefs: 016528D8
                                                                                                                                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016922B6
                                                                                                                                                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016921D9, 016922B1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                                                            • API String ID: 0-1239276146
                                                                                                                                                                            • Opcode ID: 62fbe577a47a232008a4b40a400e99d60e07e2eebbe461fe5b26a615b513df84
                                                                                                                                                                            • Instruction ID: 5610cc46abf0adac761209916e87baae62c08676d06807df2b3dd488d4dfc894
                                                                                                                                                                            • Opcode Fuzzy Hash: 62fbe577a47a232008a4b40a400e99d60e07e2eebbe461fe5b26a615b513df84
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EA1AB3190022ADBDB25CF69CCA4BA9B7B5BF58314F2541EED908AB351D7309E81CF94
                                                                                                                                                                            Strings
                                                                                                                                                                            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0169342A
                                                                                                                                                                            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01693456
                                                                                                                                                                            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01693437
                                                                                                                                                                            • RtlDeactivateActivationContext, xrefs: 01693425, 01693432, 01693451
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                                                            • API String ID: 0-1245972979
                                                                                                                                                                            • Opcode ID: e86505092a15415f339113dbc1dbec13886568171b959fcc1cadec25279be02b
                                                                                                                                                                            • Instruction ID: 8f27eb32b89c90019a09e2e3507a3fe30ddc4edda30106afc0811d7b089b81bc
                                                                                                                                                                            • Opcode Fuzzy Hash: e86505092a15415f339113dbc1dbec13886568171b959fcc1cadec25279be02b
                                                                                                                                                                            • Instruction Fuzzy Hash: FA6103366457129BDB228F2CCC45B2AB7E9AF80B50F15855DEC959B380EB30EC41CB95
                                                                                                                                                                            Strings
                                                                                                                                                                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01680FE5
                                                                                                                                                                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0168106B
                                                                                                                                                                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01681028
                                                                                                                                                                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016810AE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                                            • API String ID: 0-1468400865
                                                                                                                                                                            • Opcode ID: b55b768a4b7ec658d20f6fa5320b1ee5503e9af56e38f90c03838528ffb51759
                                                                                                                                                                            • Instruction ID: fedcaebce959fc9dfa20b889862cad424169a113520badcce46f3cd6198fce6e
                                                                                                                                                                            • Opcode Fuzzy Hash: b55b768a4b7ec658d20f6fa5320b1ee5503e9af56e38f90c03838528ffb51759
                                                                                                                                                                            • Instruction Fuzzy Hash: 6C71DAB1904315AFCB21EF18CC84B9B7BA9AB95764F00446CFD498B24AD734D589CFD2
                                                                                                                                                                            Strings
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 0168A9A2
                                                                                                                                                                            • apphelp.dll, xrefs: 01642462
                                                                                                                                                                            • LdrpDynamicShimModule, xrefs: 0168A998
                                                                                                                                                                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0168A992
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-176724104
                                                                                                                                                                            • Opcode ID: 40766f0747439a1d03b1a75d812afa49a3d9dbf286935927c574667ea479df9a
                                                                                                                                                                            • Instruction ID: ebab9575c0d7abab44d41c2f6418a22a26c7f51417e13d3ba16c16b9003b374d
                                                                                                                                                                            • Opcode Fuzzy Hash: 40766f0747439a1d03b1a75d812afa49a3d9dbf286935927c574667ea479df9a
                                                                                                                                                                            • Instruction Fuzzy Hash: 6D316B75650202EBDB31AF9DDC85E6ABBB5FB84B20F26415EFD0167349C7B05982CB80
                                                                                                                                                                            Strings
                                                                                                                                                                            • HEAP: , xrefs: 01633264
                                                                                                                                                                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0163327D
                                                                                                                                                                            • HEAP[%wZ]: , xrefs: 01633255
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                                                            • API String ID: 0-617086771
                                                                                                                                                                            • Opcode ID: beb4f93cf4221fa00bb50b3e0cdf0ca7bb5b8a2b05167586006e82c9d2185acc
                                                                                                                                                                            • Instruction ID: 315edae81eab34eb9b95ec6791035038c414e411fc47745c0b14478b83b8dff8
                                                                                                                                                                            • Opcode Fuzzy Hash: beb4f93cf4221fa00bb50b3e0cdf0ca7bb5b8a2b05167586006e82c9d2185acc
                                                                                                                                                                            • Instruction Fuzzy Hash: D392BC71A042499FEB25CF68C8547AEBBF1FF89314F18805DE846AB391D734A946CF50
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                            • API String ID: 0-4253913091
                                                                                                                                                                            • Opcode ID: 540cf724d8eb5c73ed3811accd8ab1925d96d840c86a6d82eabbd7020dee3cbc
                                                                                                                                                                            • Instruction ID: e89b2cdae23f084df9e468ea54943c08b3c5819514cbeb15f401c40d6b443caa
                                                                                                                                                                            • Opcode Fuzzy Hash: 540cf724d8eb5c73ed3811accd8ab1925d96d840c86a6d82eabbd7020dee3cbc
                                                                                                                                                                            • Instruction Fuzzy Hash: BBF1AF30600606DFEB25DF68CC94B6AB7F6FF84704F1482A9E5569B381D734E986CB90
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID: $@
                                                                                                                                                                            • API String ID: 2994545307-1077428164
                                                                                                                                                                            • Opcode ID: 18d1ec9b677ef3d664547193d7980801f3c3d9b567a42612661e1d749525c64f
                                                                                                                                                                            • Instruction ID: 3df312599905ed2550ceab1a0d3e11de5adcc1d076c7ba6b153b84f7ed052a7a
                                                                                                                                                                            • Opcode Fuzzy Hash: 18d1ec9b677ef3d664547193d7980801f3c3d9b567a42612661e1d749525c64f
                                                                                                                                                                            • Instruction Fuzzy Hash: A9C26D716083519FEB25CF28CC81BABBBE5AF89754F04892DF98987341D734D845CBA2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                                            • API String ID: 0-2779062949
                                                                                                                                                                            • Opcode ID: 66e3b462108e9cc2c115084768d791ba1aaf799aa98a00a9242dc8aa73e0f4da
                                                                                                                                                                            • Instruction ID: c8969d603df6a2c8806528b39df793f5656d61a34d2974e505bd757a7d70d722
                                                                                                                                                                            • Opcode Fuzzy Hash: 66e3b462108e9cc2c115084768d791ba1aaf799aa98a00a9242dc8aa73e0f4da
                                                                                                                                                                            • Instruction Fuzzy Hash: 4AA19E7191162A9BDB31DF68CC88BEAB7B9FF44710F0441EAEA08A7210D7359E84CF54
                                                                                                                                                                            Strings
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 0168A121
                                                                                                                                                                            • LdrpCheckModule, xrefs: 0168A117
                                                                                                                                                                            • Failed to allocated memory for shimmed module list, xrefs: 0168A10F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-161242083
                                                                                                                                                                            • Opcode ID: 85e42eb243bc58872ee6c8a24d88422aca71315fc50ba16f57a1f43f11134aa6
                                                                                                                                                                            • Instruction ID: 0a07079f10b82248c352056c2390c65a1010808ac2962a297c5c9ece3aec0d8e
                                                                                                                                                                            • Opcode Fuzzy Hash: 85e42eb243bc58872ee6c8a24d88422aca71315fc50ba16f57a1f43f11134aa6
                                                                                                                                                                            • Instruction Fuzzy Hash: 6271D070A00216DFDB25EFACCD80AAEB7F5FB44214F14816DE942A7351E774A942CB54
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                            • API String ID: 0-1334570610
                                                                                                                                                                            • Opcode ID: 178633fc1dabdd7e47d9d70bd53a90e00589c17cff79077cce49f916141e7d35
                                                                                                                                                                            • Instruction ID: 25f070452fa4f04a920b37fa30de2fa877c07550aaf0b773fd85771b36ab4225
                                                                                                                                                                            • Opcode Fuzzy Hash: 178633fc1dabdd7e47d9d70bd53a90e00589c17cff79077cce49f916141e7d35
                                                                                                                                                                            • Instruction Fuzzy Hash: 3E61AE706003059FDB29DF28C840B6ABBE2FF85704F14865DE8568B396D771E886CB95
                                                                                                                                                                            Strings
                                                                                                                                                                            • Failed to reallocate the system dirs string !, xrefs: 016982D7
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 016982E8
                                                                                                                                                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 016982DE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-1783798831
                                                                                                                                                                            • Opcode ID: fd360fc302135ccd7204513fe1164ffa9e157b1338d116d5be0dd564da292ac7
                                                                                                                                                                            • Instruction ID: ba8eea6dcc79c3a657b37db413014c7a64b4514860774b04c4564647633516ad
                                                                                                                                                                            • Opcode Fuzzy Hash: fd360fc302135ccd7204513fe1164ffa9e157b1338d116d5be0dd564da292ac7
                                                                                                                                                                            • Instruction Fuzzy Hash: 2041E071504301ABCB21EB68DC44B6B7BEDEF89B60F00892EFA4897294E770D801CB95
                                                                                                                                                                            Strings
                                                                                                                                                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 016DC1C5
                                                                                                                                                                            • @, xrefs: 016DC1F1
                                                                                                                                                                            • PreferredUILanguages, xrefs: 016DC212
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                                                            • API String ID: 0-2968386058
                                                                                                                                                                            • Opcode ID: 4363f72733ec7c46ab9fb2fda3fd907b64770aaf683e07330fd4e7b8ef366b24
                                                                                                                                                                            • Instruction ID: 6d3ffe50855e7982f0a421f3709fb1f14548a012362b1373f827e851994ca6e0
                                                                                                                                                                            • Opcode Fuzzy Hash: 4363f72733ec7c46ab9fb2fda3fd907b64770aaf683e07330fd4e7b8ef366b24
                                                                                                                                                                            • Instruction Fuzzy Hash: EA417172E0021DEBDB11DAD9CC91BEEBBBDAB14700F14816EE609A7244D7749A44CB94
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                                                            • API String ID: 0-1373925480
                                                                                                                                                                            • Opcode ID: 3ccf32fdd9159c572cf60fe00be02e6c10d53027490e85e39116fc10fc42f477
                                                                                                                                                                            • Instruction ID: 8dfb85b9ab79ae7535f0fa62dd13560962699763f9128ade4dd5dcb8c4829dbd
                                                                                                                                                                            • Opcode Fuzzy Hash: 3ccf32fdd9159c572cf60fe00be02e6c10d53027490e85e39116fc10fc42f477
                                                                                                                                                                            • Instruction Fuzzy Hash: EF412632A006588BEB26DBD9CD84BEDBBB9FF55340F14046DD902EB382DB359981CB51
                                                                                                                                                                            Strings
                                                                                                                                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 016A4899
                                                                                                                                                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 016A4888
                                                                                                                                                                            • LdrpCheckRedirection, xrefs: 016A488F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                            • API String ID: 0-3154609507
                                                                                                                                                                            • Opcode ID: f78fd2a08833c62fc106fbfc2bc7147049202d60c167c7a0e1b8c2a8b48de1ae
                                                                                                                                                                            • Instruction ID: 3e567b938d98e34fa9a4fdf1b980047cc4c8aa15cb968f166791b9e98da8c6b5
                                                                                                                                                                            • Opcode Fuzzy Hash: f78fd2a08833c62fc106fbfc2bc7147049202d60c167c7a0e1b8c2a8b48de1ae
                                                                                                                                                                            • Instruction Fuzzy Hash: AD41C332A046919FCB21CE5CEC40A267BE9FF49A50B4A056DED4997351DBB0EC01CF91
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                            • API String ID: 0-2558761708
                                                                                                                                                                            • Opcode ID: 90e71fa0d1c91a174136b69c75a7bd9c01da67c8a0efb7f5439b720cc48a420b
                                                                                                                                                                            • Instruction ID: 7f915320a8c34357439fbab741a0bf1ae657cb7a125ff64346cdf7c8711227ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 90e71fa0d1c91a174136b69c75a7bd9c01da67c8a0efb7f5439b720cc48a420b
                                                                                                                                                                            • Instruction Fuzzy Hash: A311CD353561029FDB29EA1CCC41B66B3A6AF81716F18826DF4078B255DB30D846C755
                                                                                                                                                                            Strings
                                                                                                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 016A2104
                                                                                                                                                                            • LdrpInitializationFailure, xrefs: 016A20FA
                                                                                                                                                                            • Process initialization failed with status 0x%08lx, xrefs: 016A20F3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                                                            • API String ID: 0-2986994758
                                                                                                                                                                            • Opcode ID: d9e6ba07839b377f176e9890be0007851d0909889a9bc5cf72809e431c17770f
                                                                                                                                                                            • Instruction ID: 0a398b9a486c5a5bf0225e5e5000dc69d7b9e6412145924e78aa12db1d2e565e
                                                                                                                                                                            • Opcode Fuzzy Hash: d9e6ba07839b377f176e9890be0007851d0909889a9bc5cf72809e431c17770f
                                                                                                                                                                            • Instruction Fuzzy Hash: C5F0C835680309ABE725DA4CDC56F96376DFB41B64F50005DF70467281D6B0AE40CA95
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: #%u
                                                                                                                                                                            • API String ID: 48624451-232158463
                                                                                                                                                                            • Opcode ID: 9a346bbe9418ec5373f6945ef0aa304a8517e4eac99bc689d37cfe6935a6fe3c
                                                                                                                                                                            • Instruction ID: 685549cb593ec2771926c2a58dec1ec1f9e7366ab011f22a9d26d1efd6b86160
                                                                                                                                                                            • Opcode Fuzzy Hash: 9a346bbe9418ec5373f6945ef0aa304a8517e4eac99bc689d37cfe6935a6fe3c
                                                                                                                                                                            • Instruction Fuzzy Hash: E2713772A0014A9FDB01DFA8CD94BAEB7F9AF48304F144169E905E7251EB34EE05CB64
                                                                                                                                                                            Strings
                                                                                                                                                                            • LdrResSearchResource Enter, xrefs: 0162AA13
                                                                                                                                                                            • LdrResSearchResource Exit, xrefs: 0162AA25
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                                                            • API String ID: 0-4066393604
                                                                                                                                                                            • Opcode ID: a3943bcffb2763472ffdccaefb8994743d7ed69e66bfcf80730d863d3db85c00
                                                                                                                                                                            • Instruction ID: 618d22072f1609f62344f4e33529d8eaaef1ecb43697eaf763fdd38b98e43a31
                                                                                                                                                                            • Opcode Fuzzy Hash: a3943bcffb2763472ffdccaefb8994743d7ed69e66bfcf80730d863d3db85c00
                                                                                                                                                                            • Instruction Fuzzy Hash: 3FE15D71A006299FEB229EDDCE90BAEBBBABF04710F10452AE901E7751D7B4D941CF50
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: `$`
                                                                                                                                                                            • API String ID: 0-197956300
                                                                                                                                                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                            • Instruction ID: 2d38147ae5ac134512bf80f73553ac4cc97d7a245de551955f9b82f04b1beb3f
                                                                                                                                                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                                            • Instruction Fuzzy Hash: 90C1BE312053429BEB24CF68CC49B6BBBE6AFD4318F084B2CF6968B290D774D509CB55
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID: Legacy$UEFI
                                                                                                                                                                            • API String ID: 2994545307-634100481
                                                                                                                                                                            • Opcode ID: d2be99efa34965375b01c85f5bb29c2e7bfb98473f7daaa22db35b5cc745ffee
                                                                                                                                                                            • Instruction ID: 2a9aedf3313bd3bfa16efd70506c8299a1cc45fb1fe74f4338e5e59dab337b4c
                                                                                                                                                                            • Opcode Fuzzy Hash: d2be99efa34965375b01c85f5bb29c2e7bfb98473f7daaa22db35b5cc745ffee
                                                                                                                                                                            • Instruction Fuzzy Hash: 3D615871E006199FDB24DFA88D40BAEBBB9FB48700F15406EE649EB291D732A941CB54
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: @$MUI
                                                                                                                                                                            • API String ID: 0-17815947
                                                                                                                                                                            • Opcode ID: 1d8c1e4de66991b4f2b2b8729933d11e1396d357136e86ebb52e702b0400e63a
                                                                                                                                                                            • Instruction ID: c056c5a3f4c81e7dea5d1b4b5e34e84551fd0a940ec688050a5ce2a93b0c88c3
                                                                                                                                                                            • Opcode Fuzzy Hash: 1d8c1e4de66991b4f2b2b8729933d11e1396d357136e86ebb52e702b0400e63a
                                                                                                                                                                            • Instruction Fuzzy Hash: 285118B1D0021DAEDB11DFA9CC90AEEBBBDEB54B54F10452DE611B7290DB309D05CB64
                                                                                                                                                                            Strings
                                                                                                                                                                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0162063D
                                                                                                                                                                            • kLsE, xrefs: 01620540
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                                            • API String ID: 0-2547482624
                                                                                                                                                                            • Opcode ID: ee716b6577eccfa8e74e3ebc6240e9cd353c07bb921e6cee2022ca05c2594448
                                                                                                                                                                            • Instruction ID: 048b9725adb6f53532aae7a806799023e76b46b75d431b980a183391b670d33a
                                                                                                                                                                            • Opcode Fuzzy Hash: ee716b6577eccfa8e74e3ebc6240e9cd353c07bb921e6cee2022ca05c2594448
                                                                                                                                                                            • Instruction Fuzzy Hash: 3F51AC71504B628BD734DF68C9446A7BBE8AF85304F10883EFA9A87341E7709545CF96
                                                                                                                                                                            Strings
                                                                                                                                                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 0162A309
                                                                                                                                                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 0162A2FB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                                            • API String ID: 0-2876891731
                                                                                                                                                                            • Opcode ID: a7099aa55a6fd6d8960ce774b2e137d6154d2767a83d556649c36d50a6fb3faa
                                                                                                                                                                            • Instruction ID: 0465d27b226ef08ee8e6f4db28c421a58d2d8a44baff0c57a6a9083ef9fb3821
                                                                                                                                                                            • Opcode Fuzzy Hash: a7099aa55a6fd6d8960ce774b2e137d6154d2767a83d556649c36d50a6fb3faa
                                                                                                                                                                            • Instruction Fuzzy Hash: 4541DC31A01A66CBDB21DF99CC40B6A7BB5FF84704F1441A9E900DB792E3B5C901CF85
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID: Cleanup Group$Threadpool!
                                                                                                                                                                            • API String ID: 2994545307-4008356553
                                                                                                                                                                            • Opcode ID: 24cfea90321e27f502e415369654c1f6bd452f97bb88c057d68ce39639de9310
                                                                                                                                                                            • Instruction ID: aa13a0b5d36c44140aa569262b041b7c253c19f38813ba0917e0036e4f024631
                                                                                                                                                                            • Opcode Fuzzy Hash: 24cfea90321e27f502e415369654c1f6bd452f97bb88c057d68ce39639de9310
                                                                                                                                                                            • Instruction Fuzzy Hash: FE01D1B2250700AFD351DF64CE45B1677E8E794725F018A3DBA48CB190E374D804CB5A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: MUI
                                                                                                                                                                            • API String ID: 0-1339004836
                                                                                                                                                                            • Opcode ID: ba854c559cb887386123aead9ca30514fc79a3177196740be1df1691bddf76a9
                                                                                                                                                                            • Instruction ID: 049c84c69768d95e4aabb2cd8336e66534352bd6ed695f179f54de676eaad0ce
                                                                                                                                                                            • Opcode Fuzzy Hash: ba854c559cb887386123aead9ca30514fc79a3177196740be1df1691bddf76a9
                                                                                                                                                                            • Instruction Fuzzy Hash: 7D825B75E00A298FEB25CFA9CC80BEDBBB1BF49310F148169E959AB391D7349941CF50
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 0-3916222277
                                                                                                                                                                            • Opcode ID: 64a3ecccb63cab752f81a5f6c9c54af23b41d697e8b5c5ec3ba4e64810cb4836
                                                                                                                                                                            • Instruction ID: ba69b71503f592f0185f437dbabc6a211e8203dffeb8b064576029a7b5222dfe
                                                                                                                                                                            • Opcode Fuzzy Hash: 64a3ecccb63cab752f81a5f6c9c54af23b41d697e8b5c5ec3ba4e64810cb4836
                                                                                                                                                                            • Instruction Fuzzy Hash: D2918571900229AFEB21DF95CD85FAEBBB9EF54750F544059F600AB290D774AD00CFA4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 0-3916222277
                                                                                                                                                                            • Opcode ID: 1f2a696e4a98bc6565b4cd993c8b0cc7f67bf945ee22fe3af4d87b39050a7c45
                                                                                                                                                                            • Instruction ID: 312457e019b8ea4c13b605ed6c50d1b9caf2222f3cf833f2d1a35cc4a53a8f50
                                                                                                                                                                            • Opcode Fuzzy Hash: 1f2a696e4a98bc6565b4cd993c8b0cc7f67bf945ee22fe3af4d87b39050a7c45
                                                                                                                                                                            • Instruction Fuzzy Hash: 71918032900649AFDB22ABA5DC44FBFBF7AEF95B50F10001DF505A7250DB79A901CB94
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: GlobalTags
                                                                                                                                                                            • API String ID: 0-1106856819
                                                                                                                                                                            • Opcode ID: 9dc59f2b5f5ebcd3edafca3b2d982442a16fbf303d1a85de9825ce6375e97a67
                                                                                                                                                                            • Instruction ID: 02266399b0c34ac0088afa6a14134d920c727ef52aab92bb37663ed34b9f140c
                                                                                                                                                                            • Opcode Fuzzy Hash: 9dc59f2b5f5ebcd3edafca3b2d982442a16fbf303d1a85de9825ce6375e97a67
                                                                                                                                                                            • Instruction Fuzzy Hash: 34716175E0031A9FDF28CF9CD990AADBBB6BF48710F14812EE505AB341E7709941CB64
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .mui
                                                                                                                                                                            • API String ID: 0-1199573805
                                                                                                                                                                            • Opcode ID: 6d6657af45f99a44a9a8b387dd4c9c13fb0e2026c0417506d96a333f2c5b40f3
                                                                                                                                                                            • Instruction ID: 6224b71b2a821c7e6d393af06109bbf9cece318540708d2ea8c32db5675947f0
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d6657af45f99a44a9a8b387dd4c9c13fb0e2026c0417506d96a333f2c5b40f3
                                                                                                                                                                            • Instruction Fuzzy Hash: 66515B72D0062ADBDB10DF9DDC50ABEBBB5EF14A50F05416EEA12BB344DB349901CBA4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: EXT-
                                                                                                                                                                            • API String ID: 0-1948896318
                                                                                                                                                                            • Opcode ID: 82d290e4e5baf4264e01423f72c5cb5923b58928d6eb03538e28fb4721c62186
                                                                                                                                                                            • Instruction ID: 2e7ae32af848a9b62020256354ac432c82c6660e512af330b5a8d728bb057231
                                                                                                                                                                            • Opcode Fuzzy Hash: 82d290e4e5baf4264e01423f72c5cb5923b58928d6eb03538e28fb4721c62186
                                                                                                                                                                            • Instruction Fuzzy Hash: BE4190725083169BD721DA79CC40BABB7E9AFC8714F04092DFA84D7280E775D904C7A6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: BinaryHash
                                                                                                                                                                            • API String ID: 0-2202222882
                                                                                                                                                                            • Opcode ID: e407e4159fb1762b55d1f7f53b0de62bbe5015b6ad410d8764196e22344c8f27
                                                                                                                                                                            • Instruction ID: 07d74ccdc928cb216182d93a4fa40bb62033c7e22d1abca4410d4d496d7c992c
                                                                                                                                                                            • Opcode Fuzzy Hash: e407e4159fb1762b55d1f7f53b0de62bbe5015b6ad410d8764196e22344c8f27
                                                                                                                                                                            • Instruction Fuzzy Hash: DB4152B1D0012DABDF21DA50CD84FDEBB7DAB45714F0145E9EA08AB140DB709E89CFA8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: #
                                                                                                                                                                            • API String ID: 0-1885708031
                                                                                                                                                                            • Opcode ID: bf7c77692031e65d922e777b54f7bd12bc3fd1f5b1e8c2e5445e56f4e7c91536
                                                                                                                                                                            • Instruction ID: eca21c49a26bf361552eb2617068c7da79c96cac7ef37292f768cae4735a0d20
                                                                                                                                                                            • Opcode Fuzzy Hash: bf7c77692031e65d922e777b54f7bd12bc3fd1f5b1e8c2e5445e56f4e7c91536
                                                                                                                                                                            • Instruction Fuzzy Hash: 4A311431A007199BEB22DB69CC90BEEBBB9DF55704F144068EA41AB382CB75DC85CB54
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: BinaryName
                                                                                                                                                                            • API String ID: 0-215506332
                                                                                                                                                                            • Opcode ID: 20955cefed4d9306394fc622b4a76d78fc378eae32909686b305f00f88b83924
                                                                                                                                                                            • Instruction ID: efe0c25bb890e6875b593147629f5c08cd16bf63db4b7acbb6d717aba6bd40a9
                                                                                                                                                                            • Opcode Fuzzy Hash: 20955cefed4d9306394fc622b4a76d78fc378eae32909686b305f00f88b83924
                                                                                                                                                                            • Instruction Fuzzy Hash: F931E13690051AAFEF16DA59CC55E7FBB78EB80760F014169E905A7290D7309E05DBE0
                                                                                                                                                                            Strings
                                                                                                                                                                            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 016A895E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                                            • API String ID: 0-702105204
                                                                                                                                                                            • Opcode ID: b0aa048bc6cab2fc0e2a7496c4025cb998cb5b9d6f171f36e766e5116bcce01a
                                                                                                                                                                            • Instruction ID: bf0888b5b4b0d8bb59fdbba4ac12d86207a0d109242233a501fc3cb8ceca0e98
                                                                                                                                                                            • Opcode Fuzzy Hash: b0aa048bc6cab2fc0e2a7496c4025cb998cb5b9d6f171f36e766e5116bcce01a
                                                                                                                                                                            • Instruction Fuzzy Hash: 900176B22042019FE7396B1DCC84A9ABF6AEFC6665B84002CF24103655CB20AC82CF96
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c0bf3aa31ad41576bed732cc09d32c002a906075c4cc6874537eeee8d356b196
                                                                                                                                                                            • Instruction ID: edbe0fbeb6a1504840189c320f0cc8658dddd1217e21783138a9ea6b273326da
                                                                                                                                                                            • Opcode Fuzzy Hash: c0bf3aa31ad41576bed732cc09d32c002a906075c4cc6874537eeee8d356b196
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E42AE756093418BD725CF68CCA0A7BBBE6EB88B00F49492EFE8697350D770D845CB52
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3e230e6a4ad771a089998457e767981002ab67c1ce26dec07c077687d7f760b7
                                                                                                                                                                            • Instruction ID: 0fae13eb55e86683a6904f4e923e307642cd5b97e913fecd4e2ae17f97343bce
                                                                                                                                                                            • Opcode Fuzzy Hash: 3e230e6a4ad771a089998457e767981002ab67c1ce26dec07c077687d7f760b7
                                                                                                                                                                            • Instruction Fuzzy Hash: 79423D75A002198FEB25CF69CC81BEDBBFABF48300F158199E949AB342D7349985CF50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 028dfb44d9ef7ba0113e9285e8574d53ab4dfcf13e615b49f7fa8bfa6ec0b8a6
                                                                                                                                                                            • Instruction ID: 51bed3936a298fddcbc158c6a1d9f0b3a81aa481e0065a2b30b09eacdec2d699
                                                                                                                                                                            • Opcode Fuzzy Hash: 028dfb44d9ef7ba0113e9285e8574d53ab4dfcf13e615b49f7fa8bfa6ec0b8a6
                                                                                                                                                                            • Instruction Fuzzy Hash: 7E32CDB0A007558BEB25EF69CC547BEBBF2BF84704F24821DD54A9B385D735A842CB60
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1b8dab14bb56f4e89d863e8368984b4d9e5fe6b1fb34fb415951b3973d769b5b
                                                                                                                                                                            • Instruction ID: 4cdaece25a467ce2d5fbb26de3531066580164eb8b3005942edfc139a0aadc8a
                                                                                                                                                                            • Opcode Fuzzy Hash: 1b8dab14bb56f4e89d863e8368984b4d9e5fe6b1fb34fb415951b3973d769b5b
                                                                                                                                                                            • Instruction Fuzzy Hash: BF22BD746046698BEB25CFA9C894372BBF1EF44B00F08C55EE9868B386F335D452DB60
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 465ea72dca7dc30df45932b5e8438639f22abf4d01696cf604a71f9169cd2664
                                                                                                                                                                            • Instruction ID: 6602ce2abc5f35f0198ec553c997d315504bc7d816c6c46a7eb3863ae9317387
                                                                                                                                                                            • Opcode Fuzzy Hash: 465ea72dca7dc30df45932b5e8438639f22abf4d01696cf604a71f9169cd2664
                                                                                                                                                                            • Instruction Fuzzy Hash: 1032BE71A05615CFDB25DF68C880BAABBF2FF48310F148669E956AB391D730E842CF50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                            • Instruction ID: 7a2bd0764b520999af89febe64797489f0b22b2ab2f5cdb25086f6f1cdd2ad5e
                                                                                                                                                                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                                                            • Instruction Fuzzy Hash: 43F17171E0021A9BDF15DF99CD81BAEBBF6BF48710F098169E945AB340EB34D841CB64
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: be38975e91db932a6e57a268de6d52efd2513a70bd7a18a686aaa14ab59dbd1c
                                                                                                                                                                            • Instruction ID: 41de8e92c7b53b76a13f5e726961d27be0ab9567a3bb5787352c5a38e970e319
                                                                                                                                                                            • Opcode Fuzzy Hash: be38975e91db932a6e57a268de6d52efd2513a70bd7a18a686aaa14ab59dbd1c
                                                                                                                                                                            • Instruction Fuzzy Hash: 23D1E271E0060A8BDF15CF69CC81AFEB7FEAF88304F18816AD955A7241D735E946CB60
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c6a2e42a72aef59e7dc7be7d1e14dd29d011ab7b164e1e409c28b5cfe8ffd777
                                                                                                                                                                            • Instruction ID: 949a4827902bf7243a089df4156e1d9eeb80f49ff3974d5fb502476401ef8365
                                                                                                                                                                            • Opcode Fuzzy Hash: c6a2e42a72aef59e7dc7be7d1e14dd29d011ab7b164e1e409c28b5cfe8ffd777
                                                                                                                                                                            • Instruction Fuzzy Hash: 64E1AE71608752CFC715CF28C890A6ABBE1FF89314F058A6DE99987351DB31E906CF92
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d385bca1dd8cee3a4c591bab7e2a8ec4d4cebbf84df0b32b1285537da716c6ee
                                                                                                                                                                            • Instruction ID: 8ac2d6902ab0e4b99afc7170718bdb887c37aeba6715dc57a3dc96e4ac37ff33
                                                                                                                                                                            • Opcode Fuzzy Hash: d385bca1dd8cee3a4c591bab7e2a8ec4d4cebbf84df0b32b1285537da716c6ee
                                                                                                                                                                            • Instruction Fuzzy Hash: 87D10371A006169BDB14CF68CC90EBEB7BAFF54314F09462DEA16DB284EB34E951CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                            • Instruction ID: 74e5f5b10202c01bb28de6f3902da432b14ceeea6990281fd027e2219fe190e2
                                                                                                                                                                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                                            • Instruction Fuzzy Hash: B8B17174A006059FEB24DB99CD40AABBBBEFF84305F90846DAA4297790DB34ED45CF50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                            • Instruction ID: 79cc52e7418bca73922415beb8a20d5cbe626597a79e8778d76640210282b82c
                                                                                                                                                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                                            • Instruction Fuzzy Hash: 7BB10671604646AFDB26DB68CD50BBEBBF6AFC8310F140299E552D7381DB30E946CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d981faba4b0adfbc09a0f927a7bb069352ba4859d54b10d005f721991b1db786
                                                                                                                                                                            • Instruction ID: 2c9d0751dcbebfbdf1698a6989ed02ec414120ad954f99adf177eb0ed5bb706b
                                                                                                                                                                            • Opcode Fuzzy Hash: d981faba4b0adfbc09a0f927a7bb069352ba4859d54b10d005f721991b1db786
                                                                                                                                                                            • Instruction Fuzzy Hash: C6C156702083418FE764DF18C894BAAB7E9BF88304F44496DE98997391D7B4E909CF92
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 52b445a8986c62285e94a659874b552802653b7fe699586cc9b4a18fc70f3297
                                                                                                                                                                            • Instruction ID: 41041f693ada8f7b7c3220abe833344283f7ac8e5340a23f08dcae7b972448bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 52b445a8986c62285e94a659874b552802653b7fe699586cc9b4a18fc70f3297
                                                                                                                                                                            • Instruction Fuzzy Hash: 67B18270A402668BDB64DF58CC90BADB7B6EF44700F0885E9D50AE7385EB30DD86CB24
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 128e1839285258c419fd9f30d6340c63aba8479057773991335c85770b300eae
                                                                                                                                                                            • Instruction ID: 3527e5b777ae00019dc329ba41c29a52499991282711a8597c1887601c7144f9
                                                                                                                                                                            • Opcode Fuzzy Hash: 128e1839285258c419fd9f30d6340c63aba8479057773991335c85770b300eae
                                                                                                                                                                            • Instruction Fuzzy Hash: 46A11631E006259FEB21EB5CCC48BAEBBB5BF01724F054295EA00AB391D7789D41CBD1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2628868fae2405f36530e2200a6479bf5c245dfa41f9596bc09cec8cfafa18e6
                                                                                                                                                                            • Instruction ID: 3ae864747dc35d5eb5d32098abe2c25de7b8d1120191a6674cb34fffe4964801
                                                                                                                                                                            • Opcode Fuzzy Hash: 2628868fae2405f36530e2200a6479bf5c245dfa41f9596bc09cec8cfafa18e6
                                                                                                                                                                            • Instruction Fuzzy Hash: 6BA18F71A01616DBEB25DF69CD90BAAB7A9FF54314F04403DEA4597381EB34E812CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 62a9601b875959a5649f7509493015e7e36ebcaaae727c9843297f95c2ef848c
                                                                                                                                                                            • Instruction ID: 10e7e14395306f0328872087e7d19858c1dcfa4ee0fc004b53fe51c8820764c5
                                                                                                                                                                            • Opcode Fuzzy Hash: 62a9601b875959a5649f7509493015e7e36ebcaaae727c9843297f95c2ef848c
                                                                                                                                                                            • Instruction Fuzzy Hash: 96A1CD72A056129FC721DF18CD80B6ABBEAFF88714F05492CF6859BB51CB34E901CB95
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                            • Instruction ID: c876e3de4e49ff765372efbc5095f6f6456314a0517019185ce6f3f8b2ec08a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                                                            • Instruction Fuzzy Hash: D4B11571E0061A9FDB29CFA9C890AADBBB5FF88310F14816DEA15A7354D730E941CF94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f0833b8430aa5a8ce002c45f3140018a7f68ffb3914291b17b287594caa0379d
                                                                                                                                                                            • Instruction ID: 9c548cd10b645f9bec6e11f92875b960c25f9eaff6a5db3462edd7a9bbca3def
                                                                                                                                                                            • Opcode Fuzzy Hash: f0833b8430aa5a8ce002c45f3140018a7f68ffb3914291b17b287594caa0379d
                                                                                                                                                                            • Instruction Fuzzy Hash: A091A171D00216AFDB15CFA8DC94BAEBFB5AF48710F5941A9E610AB341D734ED018FA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8d08ba42322d732e12577b4c8c1a999441f3ec4b8547f22b57544b3360223f1a
                                                                                                                                                                            • Instruction ID: 616beb3dbc6778b664b4d8b38242cf337d1281f3b313dec9d68e507b25581d2e
                                                                                                                                                                            • Opcode Fuzzy Hash: 8d08ba42322d732e12577b4c8c1a999441f3ec4b8547f22b57544b3360223f1a
                                                                                                                                                                            • Instruction Fuzzy Hash: BD914571A01216DBEB24EB5CCC40B79BBB2EFD8724F058569ED059B381E736D902CB61
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 21c3aaef74c5232278a3728bb2dd48cb6c4b8f2a278cf028b96d13097a833f14
                                                                                                                                                                            • Instruction ID: 022202346f8f469fad5aa596878c09f9beb1fb8e57cde962f2da63f470dddaaa
                                                                                                                                                                            • Opcode Fuzzy Hash: 21c3aaef74c5232278a3728bb2dd48cb6c4b8f2a278cf028b96d13097a833f14
                                                                                                                                                                            • Instruction Fuzzy Hash: B88182B1A00A169FEB24CF69C940ABEBBF9FB48700F14852EE455E7740E734D951CBA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                            • Instruction ID: 41f1f04cbb39e53541e452bd5c31426a8e9b7179fed7d8486ac8feabf07ef05e
                                                                                                                                                                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                                                            • Instruction Fuzzy Hash: ED819172A012059FDF19CF98C898AAEBBF6BF84310F18866DD9169B344D774D911CB44
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 122db80ae53c561bbe5112dc9e856cad211a39ce0dfe096bddbb806abf45dfdf
                                                                                                                                                                            • Instruction ID: 13c46929b403e44de5d29583776f161ec8fc72c7ed9f5e64699d7dfacb5cf2be
                                                                                                                                                                            • Opcode Fuzzy Hash: 122db80ae53c561bbe5112dc9e856cad211a39ce0dfe096bddbb806abf45dfdf
                                                                                                                                                                            • Instruction Fuzzy Hash: BB817C71A00609AFDF65CFA9CC80AEEFBBAFB88354F10442DE955A7211D731AD05CB60
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c9a58a0bfed002c3cd4ffb21b1f63a3264e3d6a8971f8cb03b1a1c9ba47116aa
                                                                                                                                                                            • Instruction ID: 2cc57f6de0ec2f2537262dc7aada4be63025e71d43f855e6d777411e478de2de
                                                                                                                                                                            • Opcode Fuzzy Hash: c9a58a0bfed002c3cd4ffb21b1f63a3264e3d6a8971f8cb03b1a1c9ba47116aa
                                                                                                                                                                            • Instruction Fuzzy Hash: 2471CE75D04669DBCB26DF58CC90BBEBBB5FF98710F14821AE942AB350D7709801CBA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 63570eaf87053ff5610b5b079cc706a99ae200feb29fdd78967d763c95e4ba03
                                                                                                                                                                            • Instruction ID: ae05f736f7307935b4b0ec1b72852f0912a00951d49ce346b874a7bf10c98ee9
                                                                                                                                                                            • Opcode Fuzzy Hash: 63570eaf87053ff5610b5b079cc706a99ae200feb29fdd78967d763c95e4ba03
                                                                                                                                                                            • Instruction Fuzzy Hash: A9719F70D01205EFDB20CF5DDD45AAABBF9EB91710B05815EFA00AB658CB71DD80CB59
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7004aa116b2bc2dc45250a15f36ea5bfe7665cefdac0af507811211e95a72139
                                                                                                                                                                            • Instruction ID: 7d398a5e2002eba43e0ade38e5e4082f78e672cbccf8922da7f179543aede33b
                                                                                                                                                                            • Opcode Fuzzy Hash: 7004aa116b2bc2dc45250a15f36ea5bfe7665cefdac0af507811211e95a72139
                                                                                                                                                                            • Instruction Fuzzy Hash: CD71CF31A046528FD312DF2CC890B2AB7E6FFC5710F0885ADE8958B352DB34D846CB95
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                            • Instruction ID: e403c160b5ae3c305ef3440644f79790940e673171110a7a32f361d189b7b095
                                                                                                                                                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                                            • Instruction Fuzzy Hash: F0715C71A0061AAFDB10DFA9CD84A9EBBBAFF88700F504569E545E7250DB34EE01CF94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e5581b752c62875234e3d1519cb6840a6493d106f2f9ac486912ad5da966dae4
                                                                                                                                                                            • Instruction ID: 7d2759da3e417d8551ac45db08c5e6e0f6216bb58469353723f31d81106d6544
                                                                                                                                                                            • Opcode Fuzzy Hash: e5581b752c62875234e3d1519cb6840a6493d106f2f9ac486912ad5da966dae4
                                                                                                                                                                            • Instruction Fuzzy Hash: EF71E332241B01AFE732DF18CC94F96BBB6EF40724F14842CE656872A1D779E984CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a8751ac47de7da0414d9888351a151bc88e40223ec6b263ce58dd71c16a862f7
                                                                                                                                                                            • Instruction ID: 0a90b5bd036825e13e66a9285cb6e2fa60ddc04ab32f1ee850d1e03972b69808
                                                                                                                                                                            • Opcode Fuzzy Hash: a8751ac47de7da0414d9888351a151bc88e40223ec6b263ce58dd71c16a862f7
                                                                                                                                                                            • Instruction Fuzzy Hash: A8818C72A043168BDB24DF9CDDA4B6DB7FABB48320F19822DD901AB381C7749941CB94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f765375da1e71ca55ec22ed6b5f49cba3462187fc586b62d4b0eaf39f2c6945b
                                                                                                                                                                            • Instruction ID: d1462d05d27c0d1d0e35a4a7e85ad7c06b23709f7834d01f782c09be16a939ec
                                                                                                                                                                            • Opcode Fuzzy Hash: f765375da1e71ca55ec22ed6b5f49cba3462187fc586b62d4b0eaf39f2c6945b
                                                                                                                                                                            • Instruction Fuzzy Hash: 3D71F572E0021AABDF16DB94CC81FAEBBB9FB04354F10416DE621A7290D774AA45CB94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fe6320159ca80fd8bc485de6d71253932a883a7b624e68ae2ad1256ff1b9b165
                                                                                                                                                                            • Instruction ID: 03b88e38e32c9e88c0b6a7c6908814ce8b4e522a4323962b4b44d0469ccff163
                                                                                                                                                                            • Opcode Fuzzy Hash: fe6320159ca80fd8bc485de6d71253932a883a7b624e68ae2ad1256ff1b9b165
                                                                                                                                                                            • Instruction Fuzzy Hash: 7551CF72909612AFD721DEA8CC44E6BBBE9EBC9750F01092DFA40DB250D774ED05C7A2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 524006e6b39ad7083f8f1a2ba966a3909e00f4ce9678b9b593f1111ff41b6406
                                                                                                                                                                            • Instruction ID: e068137f2802661ce8219c44c428f8a8c999cc0a4d96abeb1a27d9f528546a23
                                                                                                                                                                            • Opcode Fuzzy Hash: 524006e6b39ad7083f8f1a2ba966a3909e00f4ce9678b9b593f1111ff41b6406
                                                                                                                                                                            • Instruction Fuzzy Hash: F9518A709007059BD731DF9AC884AABFBFDFF94B10F10861ED296976A1C7B0A945CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: cd8195e1256435247d2f0a5170072678abe13ccf12752bde6baef1a95e70dcec
                                                                                                                                                                            • Instruction ID: 21eb06d41f731e57e34b7f86a29dfe2ff2a3019dce811ef52760985fd1c1687d
                                                                                                                                                                            • Opcode Fuzzy Hash: cd8195e1256435247d2f0a5170072678abe13ccf12752bde6baef1a95e70dcec
                                                                                                                                                                            • Instruction Fuzzy Hash: 71514971200A059FCB22EFA9CD80EAAB7BEFF54794F40046DE94297360D735EA41CB54
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2760353adb8f8ac4d9d6209577decbe20cd55f5e6dfeb9532ca289429992ba62
                                                                                                                                                                            • Instruction ID: f32179fed5c886bff7b1a79377244a582af60b76067951201541e6172ce72e21
                                                                                                                                                                            • Opcode Fuzzy Hash: 2760353adb8f8ac4d9d6209577decbe20cd55f5e6dfeb9532ca289429992ba62
                                                                                                                                                                            • Instruction Fuzzy Hash: 3D5145716083028FD754DF2AC891A6BBBE6FFC8A14F44492DF589C7350EB34D9068B96
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                            • Instruction ID: 6a00cc6b9300ea75c806c1ccb20a24f0ff47e819058b8682470c586fe9ec3788
                                                                                                                                                                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                                            • Instruction Fuzzy Hash: 8451AE71E0021AABDF15DF98C841BFEBBBAAF44354F144169EA01AB340DB34DD45CBA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                            • Instruction ID: df21c0df117999644209f8f1acd06be9b094b5ddbdd72e65b8bc159bcdad68bf
                                                                                                                                                                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D51EB31D0021AEFDF11DF94CD98BAEBB79AF00314F514669DA1267290D7329D40CFA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 13b74418473cd989d863daa5d5ffbecb637153babecc9f5d771b1b586ede1716
                                                                                                                                                                            • Instruction ID: 5d7023f05a4a96c9456897ae9b764d9fa7ba9be8894af1dfcdca69672efeebc3
                                                                                                                                                                            • Opcode Fuzzy Hash: 13b74418473cd989d863daa5d5ffbecb637153babecc9f5d771b1b586ede1716
                                                                                                                                                                            • Instruction Fuzzy Hash: 9541D1707036119BDA29DB2DCD9CB3BBBDEEF91620F048718E9558B384DB34D811C690
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 83f9d6e7c19daab5321b1469ae9df5b915a8de8eae4b9d6ce58f23e7b1e82893
                                                                                                                                                                            • Instruction ID: 7fcfe2220be78bd7fa584ea42673db60a2239e3904e6fd58ad0382af0354f35b
                                                                                                                                                                            • Opcode Fuzzy Hash: 83f9d6e7c19daab5321b1469ae9df5b915a8de8eae4b9d6ce58f23e7b1e82893
                                                                                                                                                                            • Instruction Fuzzy Hash: 78517B7290021ADFCB20EFA9CD909AEBBF9FB48364B908519E546A7304D770AD01CFD0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0a05032972cfe6bac4376c1ad44646059b14315ac946a2b2b547c1452be03c9f
                                                                                                                                                                            • Instruction ID: 459d79047de12362de35d2fdee46c9573353eccb6deb25bbfc3284115c81f726
                                                                                                                                                                            • Opcode Fuzzy Hash: 0a05032972cfe6bac4376c1ad44646059b14315ac946a2b2b547c1452be03c9f
                                                                                                                                                                            • Instruction Fuzzy Hash: 604139716443129BCF65EFADDCA0FAA3B6AEB59718F00412CEF029B341D7B19802C795
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                            • Instruction ID: 25731a8af0a6e91cfb89719a6d9c18c50b4068224925179b1d56f8957256abe9
                                                                                                                                                                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                                                            • Instruction Fuzzy Hash: A941D8716067169FDB25CF98CD88A6AB7EAFF90210B05472DED5287340EB30ED19C794
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 546987dcad1c498ab5279342411c9e79d226ecc577d66fd4caa93dbefc3a8293
                                                                                                                                                                            • Instruction ID: 549f79feb8d927499f11617bd88ab0b902780ae32f8f330e544f66f22b1ff412
                                                                                                                                                                            • Opcode Fuzzy Hash: 546987dcad1c498ab5279342411c9e79d226ecc577d66fd4caa93dbefc3a8293
                                                                                                                                                                            • Instruction Fuzzy Hash: EC41893690021A9BDB54DFA8C840AEEBBB9AF48710F14816AFD15A7340D735DD42CBA8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 37724d1881b2b2b708040a65d83650aaa0ee5dbd34d1184b6b5115df40c8fccd
                                                                                                                                                                            • Instruction ID: 64514c6c09e7f83c497c555227814ab84c19d465e267f4b76ac8963d51ff0a19
                                                                                                                                                                            • Opcode Fuzzy Hash: 37724d1881b2b2b708040a65d83650aaa0ee5dbd34d1184b6b5115df40c8fccd
                                                                                                                                                                            • Instruction Fuzzy Hash: 9041E4726043029FD721EF28CC80A27B7EAFF88224F00496DEA67C7351DB36E8458B54
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                            • Instruction ID: 3953179b332e5914af633ccae4cf7351b9c6a04263c1b00be3bf22cc3885ffa6
                                                                                                                                                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                                            • Instruction Fuzzy Hash: A1514775A016158FCB15CF99C880AAEF7F6FF84720F2481A9D915EB351D730AA42CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4d6976be4c986086d858ef8b7f7372ba26e8c5a6be1a982e7aed62a26cb34250
                                                                                                                                                                            • Instruction ID: c363a290b220ddbbf2e617cbab8dba822527e4513cb25278fcb7e188674fb239
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d6976be4c986086d858ef8b7f7372ba26e8c5a6be1a982e7aed62a26cb34250
                                                                                                                                                                            • Instruction Fuzzy Hash: 9D512670905626DBDB25DB2CCC10BA8BBB1FF12314F1482A9E929A77D1D774A981CF84
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 875237efb0db576cdadba43a0ae9736c69f4718deb36c483342246b4c320aa69
                                                                                                                                                                            • Instruction ID: 2f670beee38e984a21f1e958648bb563047613ef7066689c697d15962c3d2862
                                                                                                                                                                            • Opcode Fuzzy Hash: 875237efb0db576cdadba43a0ae9736c69f4718deb36c483342246b4c320aa69
                                                                                                                                                                            • Instruction Fuzzy Hash: BB41A076A406289FDB21DF68CD40BEA77B9EF45740F0100A9E908AB341D734DE85CF95
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                            • Instruction ID: 901f07b6d5d1972f02ab432b544172814d36648929a0c5e3621db966082a0f31
                                                                                                                                                                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                            • Instruction Fuzzy Hash: 80419475B01115ABDF15DB99CC88ABFBBFEAF84600F1541A9E904A7341D770DD018BA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 67edd7190d05653a7d8a1c83615253c8d533b6b11070529a377c45c84d0bc549
                                                                                                                                                                            • Instruction ID: bcb5afaf59b461532b34b43f98f1731f9db38cd5b66bcf611f6ae21a25064cca
                                                                                                                                                                            • Opcode Fuzzy Hash: 67edd7190d05653a7d8a1c83615253c8d533b6b11070529a377c45c84d0bc549
                                                                                                                                                                            • Instruction Fuzzy Hash: A941B171A00B129FE725CF28CC80A22B7F9FF89314B109A6DE55787A51E774E846CF94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6d7c56a50e0c9bd8a3d761890e6814c00644f15faee4f84cf2c48b5aa08e31d9
                                                                                                                                                                            • Instruction ID: 5b4c180df1d423c97980fff2f149e09a96127b557f4ba7df3f17d527d33f0c76
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d7c56a50e0c9bd8a3d761890e6814c00644f15faee4f84cf2c48b5aa08e31d9
                                                                                                                                                                            • Instruction Fuzzy Hash: 2541FF32A81205DFDB25DFACCD94BED7BB5FB58320F084269D412AB381DB349901CBA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 300b131e7f6212a12d03df04e72d32f44bef4fb2d664948d856cc7d5ed10728a
                                                                                                                                                                            • Instruction ID: ec21cdcb056093aae703c357e254329e75f9597c5a9313efcd2af16283f319ef
                                                                                                                                                                            • Opcode Fuzzy Hash: 300b131e7f6212a12d03df04e72d32f44bef4fb2d664948d856cc7d5ed10728a
                                                                                                                                                                            • Instruction Fuzzy Hash: 6141DF72A00622CBD7249F5CCC80A5ABBFAFBA4724F18812ED9029B755C735D842CF90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f3b670c542dd9c16feb753a68fffcffc7656df14dee663e611ff66082b696dc5
                                                                                                                                                                            • Instruction ID: eed63c97f479120a3b8808949c2461c1922cfb4ce5fcab775067d38fcfb91f5a
                                                                                                                                                                            • Opcode Fuzzy Hash: f3b670c542dd9c16feb753a68fffcffc7656df14dee663e611ff66082b696dc5
                                                                                                                                                                            • Instruction Fuzzy Hash: 73414A315087469FD312DF698C40A6BF6EAAF88B54F44092EF984D7260E730DE058B97
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                            • Instruction ID: 0844a7421833c86ad8d050fce86df3b885f42fe530ab56a9ad8da3bb56859624
                                                                                                                                                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                                            • Instruction Fuzzy Hash: A9415F31A01251DFDB11DEAD8C407BABB72EB50B5AF19C06AE945DB348D73B8D81CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2b150b869fea92d453e767372cf638832c9dfd1a05b88e31cb7633b2b09becb2
                                                                                                                                                                            • Instruction ID: 0729c1b29939c8e640f8ef217244bd7623c4eb5658521eb1ace73691983ba782
                                                                                                                                                                            • Opcode Fuzzy Hash: 2b150b869fea92d453e767372cf638832c9dfd1a05b88e31cb7633b2b09becb2
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F416671A01A11EFD721CF18C840B26BBF5FF58314F608A6EE8498B352E771E9428F95
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                            • Instruction ID: 1068def3f057096b09278aee1d5b27fd1b2447a05ed7d3d2e1ddf821e431ff9b
                                                                                                                                                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                                            • Instruction Fuzzy Hash: 1B413875A00605EFDB64CF98C990AAABBF9FF18704F10496DE996D7250D330EA44CF90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 295daa34aacd39af1e2bef6d3e13baaafc1cbf2fb53953a91dc27deea1688aae
                                                                                                                                                                            • Instruction ID: 75b5cf8c37c3ec9a2e3c2d918f8561f1bcb17c05c80ab3a99d8c9da22cff3c71
                                                                                                                                                                            • Opcode Fuzzy Hash: 295daa34aacd39af1e2bef6d3e13baaafc1cbf2fb53953a91dc27deea1688aae
                                                                                                                                                                            • Instruction Fuzzy Hash: 4941AEB1505B21DFCB21EF28CD60B69B7B2FF54720F1086ADD8169B2A1DB70A941CF51
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0017a4b130fda84d7e8a68ae37694ed02993f58196ff6f3d90ab208ea9a0315b
                                                                                                                                                                            • Instruction ID: 44aa2dd131f4e88e03fb1c697b26cf297931704e3ea2d744d4d24723e323433f
                                                                                                                                                                            • Opcode Fuzzy Hash: 0017a4b130fda84d7e8a68ae37694ed02993f58196ff6f3d90ab208ea9a0315b
                                                                                                                                                                            • Instruction Fuzzy Hash: A63188B1A01349DFDB52CF68C840B99BBF9EF49724F2085AED519EB251D3329902CB94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a7c9799d43313690d2b4a4cde230d6bd2abb5075d1f1132632d167288ccc58b9
                                                                                                                                                                            • Instruction ID: dac2e5b8d0e04bd0f82df28e8de953bedeac4abd5b65221bbbc7b58648668e3e
                                                                                                                                                                            • Opcode Fuzzy Hash: a7c9799d43313690d2b4a4cde230d6bd2abb5075d1f1132632d167288ccc58b9
                                                                                                                                                                            • Instruction Fuzzy Hash: B941AE729043019BD760DF28C845B9BBBE8FF88724F008A2EF998C7250D770D805CB96
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dc0f685c67238c431522b34a120768b230f8215306e50f8100db57e8846742fc
                                                                                                                                                                            • Instruction ID: 719e2d1566a1b65463b461793b843483c640a4aedac7fca62eb276a20985f1a9
                                                                                                                                                                            • Opcode Fuzzy Hash: dc0f685c67238c431522b34a120768b230f8215306e50f8100db57e8846742fc
                                                                                                                                                                            • Instruction Fuzzy Hash: EF41E372E05617AFDB01DF18CC81AA8B7BAFF54761F288629D815A7384D734ED418BD0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6156731f5860058f4477628e8d838e54d5542ed14ccff9719b3801dfa11fa744
                                                                                                                                                                            • Instruction ID: 4b9a3aa0d8b46dbe77809868935034c6363748da0286c4f0a89662d4e70862a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 6156731f5860058f4477628e8d838e54d5542ed14ccff9719b3801dfa11fa744
                                                                                                                                                                            • Instruction Fuzzy Hash: A841B1726046529FC320DF68CC40A6AB7E9BFC8700F54461DF99597780E730ED14CBAA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e4aefd5009d045e3c4c784acc8faa964ccb87d51744996b19423adae096c8516
                                                                                                                                                                            • Instruction ID: cf087c688850b717beaede68892443661fede14c47912aea0cdf78c39a99dfda
                                                                                                                                                                            • Opcode Fuzzy Hash: e4aefd5009d045e3c4c784acc8faa964ccb87d51744996b19423adae096c8516
                                                                                                                                                                            • Instruction Fuzzy Hash: 9F41BE30B047228BD725DF2CDC94B2ABBAAEF80360F14442DE6468B391DB70D951CF91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e7a44aace2a44bca98a2a5e1dc5137c95469a60b942c7c0ff87a3d6ea624ca26
                                                                                                                                                                            • Instruction ID: 2f18c1de59b34d8bf90bb1b262051ddf31d543d1c7dd4bc55c976985e4e801ac
                                                                                                                                                                            • Opcode Fuzzy Hash: e7a44aace2a44bca98a2a5e1dc5137c95469a60b942c7c0ff87a3d6ea624ca26
                                                                                                                                                                            • Instruction Fuzzy Hash: C0418071A01615CFCB15DF69CD8099DBBF6FF98320B28862ED466A7354DB349941CB40
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                            • Instruction ID: 8caf8dc511a1e38541fa7dfd065d81431d807dce477a0d50be68b73db6989f1c
                                                                                                                                                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                                            • Instruction Fuzzy Hash: C2314631A04246AFEB129B6CCC80B9BBFF9AF54310F0441A9F855D7342C7B4D888CBA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6e8afb8873556c7e702c830b0b4ba296b45627c5a6704078485a5a48a030be4a
                                                                                                                                                                            • Instruction ID: dd64349d0caed86904edce6c04eaa622ad0046229f04f569065d4b685e329979
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e8afb8873556c7e702c830b0b4ba296b45627c5a6704078485a5a48a030be4a
                                                                                                                                                                            • Instruction Fuzzy Hash: 3E31B431741716ABD722AF658C40FBFBAB9EB59F50F00402CF600AB381CAA5DC0187E4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 86eaa421ac9e3e8799389e66366cb6703fd3670b8817a404f65a1010afcf578b
                                                                                                                                                                            • Instruction ID: 16aaa8faa1d1aea3cc58b81f874d7da63ff1d099cdfb1fa44080ec8194032444
                                                                                                                                                                            • Opcode Fuzzy Hash: 86eaa421ac9e3e8799389e66366cb6703fd3670b8817a404f65a1010afcf578b
                                                                                                                                                                            • Instruction Fuzzy Hash: B3319E32A052018FC721DF1DDC80E66B7E6FB85360F0A846EF9958BB51DB71AC41CB95
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 564ebf085ce4ba27262bcbf9a5e1fd7397d9f0fa7d4369129baa45617b114ad7
                                                                                                                                                                            • Instruction ID: 74750071f425ef9aecc4398bc2d66cdbaa3da26e72d57ebfc0b99691f60fe2be
                                                                                                                                                                            • Opcode Fuzzy Hash: 564ebf085ce4ba27262bcbf9a5e1fd7397d9f0fa7d4369129baa45617b114ad7
                                                                                                                                                                            • Instruction Fuzzy Hash: 5C418D31200B45DFD722DF29CC91BD67BE9BB45354F01892DE65A8B350CBB4E804CB94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 34dfc8b1f1515a3b65b106f17a28e2274bd7531152c2ab8e4d23ba6f7432ae71
                                                                                                                                                                            • Instruction ID: 41eb58a2667daf629cfa0e023e6807732ca4fc2d31e0f50b8e3dc6046a3187cc
                                                                                                                                                                            • Opcode Fuzzy Hash: 34dfc8b1f1515a3b65b106f17a28e2274bd7531152c2ab8e4d23ba6f7432ae71
                                                                                                                                                                            • Instruction Fuzzy Hash: F6318B71A052019FD720DF2CCC90A2AB7E5FB84720F09896DF9959BB91EB30ED05CB95
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ce064cf4eb2fadec36df5c6da094f999d009109d2c6173fd0e5eb263746c6f0e
                                                                                                                                                                            • Instruction ID: 95dd422d1a47ba60c41d2b5b88f67f51accf841c31d19ddf12a0c531881f39f0
                                                                                                                                                                            • Opcode Fuzzy Hash: ce064cf4eb2fadec36df5c6da094f999d009109d2c6173fd0e5eb263746c6f0e
                                                                                                                                                                            • Instruction Fuzzy Hash: F031B0326016C2DBFB22D75CCE48B257BDDBB40B44F1D04A4AA859B7D2DB29D841C224
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dcfb0d3c110c2898f4a4f9bca96a708d0050e2556dd3eaaddb87d6c431a0901c
                                                                                                                                                                            • Instruction ID: c927dc34d287a3c555bbf09f6b3fd80a28a5bbd268155951213f515984f8eef9
                                                                                                                                                                            • Opcode Fuzzy Hash: dcfb0d3c110c2898f4a4f9bca96a708d0050e2556dd3eaaddb87d6c431a0901c
                                                                                                                                                                            • Instruction Fuzzy Hash: 7931B275A01116AFDB15DF98CC44BAEB7FAEB48740F458268E900AB244D770ED01CBA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 41a79a709443bd6d40331dbc60baa6d8b813b259efd070afb59261cfca126dc9
                                                                                                                                                                            • Instruction ID: d83bec19bca9aa13012b0bcd80bda2d15b7c7692c3947a70a9ac02d2a8c80319
                                                                                                                                                                            • Opcode Fuzzy Hash: 41a79a709443bd6d40331dbc60baa6d8b813b259efd070afb59261cfca126dc9
                                                                                                                                                                            • Instruction Fuzzy Hash: 92315576A4012DABCB21DF54DC94BDE7BFAEB98750F1040A9E508A7250CB30DE51CF90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 89e7cd7a2b28c292eed6ea769e5ebbd557efb5b244dbcd251cc0c54575b5e576
                                                                                                                                                                            • Instruction ID: c2bfe59dba533d21182ae14abbffcdabc98b9b293a333781376faeaef9a9b128
                                                                                                                                                                            • Opcode Fuzzy Hash: 89e7cd7a2b28c292eed6ea769e5ebbd557efb5b244dbcd251cc0c54575b5e576
                                                                                                                                                                            • Instruction Fuzzy Hash: 0931E432E00215AFDB21DFA9CD40AAEBBF9FF44350F018569E516E7250D3759E008BA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 05413f600c0b52243eaba28093e6e57160bb4f386eb136c5561659168f1717b8
                                                                                                                                                                            • Instruction ID: 1771533ac17e135ad0b2101b4777c00ac6907058b0725253bf676d99adc7484b
                                                                                                                                                                            • Opcode Fuzzy Hash: 05413f600c0b52243eaba28093e6e57160bb4f386eb136c5561659168f1717b8
                                                                                                                                                                            • Instruction Fuzzy Hash: 0D31F471A41202EBDB139FADCC50BAABBFAAF94315F00416DE506EB342DB30DD018B90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 37f9a75b6176df277eacf3e6b5c0f5227c39b61af9d00be966552e9816f557cf
                                                                                                                                                                            • Instruction ID: 025d8f037d074657ae46b306b25f0794ec87e2f898655cf1318c2294146f5397
                                                                                                                                                                            • Opcode Fuzzy Hash: 37f9a75b6176df277eacf3e6b5c0f5227c39b61af9d00be966552e9816f557cf
                                                                                                                                                                            • Instruction Fuzzy Hash: E831F976A04B22DBCB12DE288C80D6BBBA6AFD4650F03456DFD5697310DB74DC018BD5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9d60f9cd1ba1287a0548df9aff1123ae6a31dea7a22ff4d935019214f4df484a
                                                                                                                                                                            • Instruction ID: e1e3c87b75115056d321253340ccafa3bd20a708a3899729c2a5d1e8b2ca9c27
                                                                                                                                                                            • Opcode Fuzzy Hash: 9d60f9cd1ba1287a0548df9aff1123ae6a31dea7a22ff4d935019214f4df484a
                                                                                                                                                                            • Instruction Fuzzy Hash: 3831AFB26097118FE761DF19CC40B2BBBE9FB88700F044A6DE984A7351D770E844CBA2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                            • Instruction ID: 1400c53ce238a1056cab4ee0124ec31983b74f318bca9abbb178aacbac95d32b
                                                                                                                                                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C312CB6B00B01AFD761CFA9DE40B67BBF8AB08650F04052DA99AC3751E730E9008B64
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 674e458083563a9a59bc472bc413d6e51baa9db6661c6c83e9f51ac1b14c82df
                                                                                                                                                                            • Instruction ID: 4842cbb18445357c1fa97985701e9418a8ada24d8f1bfdf01c1cc0fbc67819ac
                                                                                                                                                                            • Opcode Fuzzy Hash: 674e458083563a9a59bc472bc413d6e51baa9db6661c6c83e9f51ac1b14c82df
                                                                                                                                                                            • Instruction Fuzzy Hash: F2318BB16093418FCB11DF1DC95086ABFF1FF89A18F4449AEE4989B351D332D945CB92
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e4afcabe0914f63e1f5a413dec380eaae1fab19ad0409d5c0e1f5a3a5b44972b
                                                                                                                                                                            • Instruction ID: 4e05626720fd501fe8059d65100ab2abbdc88bdf5e68500c5d90fd9d3ebd3af6
                                                                                                                                                                            • Opcode Fuzzy Hash: e4afcabe0914f63e1f5a413dec380eaae1fab19ad0409d5c0e1f5a3a5b44972b
                                                                                                                                                                            • Instruction Fuzzy Hash: 3C31D472B012059FD724EFA9CD82B6EBBFAEB84704F008529D545D7255DB30D946CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                            • Instruction ID: 02d137a258adfe2932184f44b648cfcfaea614ee8782c4890b7341cee038cf92
                                                                                                                                                                            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                                                            • Instruction Fuzzy Hash: 56210436E4125AAADB10DFB98C01BAFBBB6AF54750F098175AE15E7340E370CD0187A0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: abd289ab789f0db6e10146df8c77246c5c898c265c38d05cc9e47f7adca789b4
                                                                                                                                                                            • Instruction ID: 0a82c6eb385a871c417d51834242b035fe52aa7aeba680439fb735dc546217a2
                                                                                                                                                                            • Opcode Fuzzy Hash: abd289ab789f0db6e10146df8c77246c5c898c265c38d05cc9e47f7adca789b4
                                                                                                                                                                            • Instruction Fuzzy Hash: 563170715002118BD731AF5CCC41B79B7B5EF80314F44C5ADD9459B386DB74D982CB94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                            • Instruction ID: a820a597d640a7f53d6cb0e4240e455a0ac22bc1bc21b112a596527a0edf2762
                                                                                                                                                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A213D36A0065AB7CB15ABA98C00ABFBBBBEF40710F40801EFA9587691E734D940C764
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 53975987bcb28be558850320974a13dcd3741c749e6333d667f4499652305c58
                                                                                                                                                                            • Instruction ID: 37897260943f305677c6f83828d2b4d443e896e605a63fdebbce9cfa9fb86cdf
                                                                                                                                                                            • Opcode Fuzzy Hash: 53975987bcb28be558850320974a13dcd3741c749e6333d667f4499652305c58
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A31F731A4152C9BDB32DF18CC41FEEB7BAEB15750F0500A5EA45A7290D775DE818FA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                            • Instruction ID: 0d77a83b73194ae77e1b154581709a487d71ff672afdfc93f8201f65804aab50
                                                                                                                                                                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B217435A00615EFCB55CF58CD80A8EBBF5FF48714F5080A9EE159B241EA71DA45CB60
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 46435da00388c24ac48a44af0059fd365803db656c2ce16710113fd59259ad45
                                                                                                                                                                            • Instruction ID: a120a487a8e97dbfda42d51f63ea197fb009b4be16f169c04debec8218dab333
                                                                                                                                                                            • Opcode Fuzzy Hash: 46435da00388c24ac48a44af0059fd365803db656c2ce16710113fd59259ad45
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C21C1726087459BCB22CF58CC80B6BB7E5FB88764F008569FD559B741EB30E941CBA2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                            • Instruction ID: 9de63dca01827086adafec7089db10328c568efeaff40e1c01a78b2fec666e48
                                                                                                                                                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                                            • Instruction Fuzzy Hash: 08316B31600645EFD722CB68C984F6AB7B9EF85354F1449A9E952CB394E730EE42CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6ad8cb0d596ba99fb5f1d3f97aca3308fa089761c44d2b85178bf036bd4ce7eb
                                                                                                                                                                            • Instruction ID: a88815b5f5d27b3e07cfefe8d623fb01d95a9bc540c68134d4c20b561dcb37ce
                                                                                                                                                                            • Opcode Fuzzy Hash: 6ad8cb0d596ba99fb5f1d3f97aca3308fa089761c44d2b85178bf036bd4ce7eb
                                                                                                                                                                            • Instruction Fuzzy Hash: 0A316975A00225DFCF18CF1CCC849AEB7BAEF84304B15855AF9099B391E772EA51CB94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 98960e4755bd79b88c2eb9ed248a7a4effb7e9bc2c9b48b60ec1bfe0b798447c
                                                                                                                                                                            • Instruction ID: bfa89cbe944077c1b81dfcca5daf28663a7c48b96df5aa2e29518e1a0e605128
                                                                                                                                                                            • Opcode Fuzzy Hash: 98960e4755bd79b88c2eb9ed248a7a4effb7e9bc2c9b48b60ec1bfe0b798447c
                                                                                                                                                                            • Instruction Fuzzy Hash: 89219C719002299BCB259F59CC81ABEBBF8FF49740B400069F941AB240D738AD42CFA5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a9afd3c13942ca18680865cd3f551455085372b537efc9ced900e593dd6db1dd
                                                                                                                                                                            • Instruction ID: edd765f016212f9c74e2d7e4294b08d17f5816bf3f21685f11693c8de852192f
                                                                                                                                                                            • Opcode Fuzzy Hash: a9afd3c13942ca18680865cd3f551455085372b537efc9ced900e593dd6db1dd
                                                                                                                                                                            • Instruction Fuzzy Hash: 72218972600645AFD715DBACDD84A6AB7A8FF88740F144069F904DB7A1D738ED40CBA8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 15adc9aa1c2433ba201b037d0f6eeea7d277b8b8d953882fc62776f78181cdfe
                                                                                                                                                                            • Instruction ID: c05cc92ae3976946a9fc1012d8ff5e48307c3ab76a0b245e93911627e9703512
                                                                                                                                                                            • Opcode Fuzzy Hash: 15adc9aa1c2433ba201b037d0f6eeea7d277b8b8d953882fc62776f78181cdfe
                                                                                                                                                                            • Instruction Fuzzy Hash: 9421C2729043469FD711EF59DD48B6BBBDCAF91240F48445ABD80C7351D734DD05CAA2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 21aee5a469af3b6baf9895dc3956a96f06e8bf0ac83074c79a5d9fdba4e1e2f2
                                                                                                                                                                            • Instruction ID: 8b91dbabc47b5adbd4429439c49cd1c6b070e55e7c44a68b11b69dcd7d0458ea
                                                                                                                                                                            • Opcode Fuzzy Hash: 21aee5a469af3b6baf9895dc3956a96f06e8bf0ac83074c79a5d9fdba4e1e2f2
                                                                                                                                                                            • Instruction Fuzzy Hash: EB2107327056819BF3226B6C9D18B287BD5AF81770F290369FA20DB7D2D768C842C254
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c209977cd9a4ccc028108c2e1b0845c4e022e8044c4c5ac3089dff072389fa20
                                                                                                                                                                            • Instruction ID: ac94cd35f7cd6905ba1ddbbfc190dc3695a7761e694aad3fc3373c1008565ee9
                                                                                                                                                                            • Opcode Fuzzy Hash: c209977cd9a4ccc028108c2e1b0845c4e022e8044c4c5ac3089dff072389fa20
                                                                                                                                                                            • Instruction Fuzzy Hash: EF21AC75240B019FCB25DF69CC00B46B7F5BF48708F14856CA90ACB762E775E842CB98
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: cc874efefea255385deef5564392976d9a1c5f067906a47c5c4ae41b96be03d8
                                                                                                                                                                            • Instruction ID: e5f508b1862b72fa6ba2e03f32281515b54bf80f90ab7cdd77e86369db451949
                                                                                                                                                                            • Opcode Fuzzy Hash: cc874efefea255385deef5564392976d9a1c5f067906a47c5c4ae41b96be03d8
                                                                                                                                                                            • Instruction Fuzzy Hash: F4112973784A11BFE72256999C01F27769ADBD4B60F91006CF759CB280EB70DC01879A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0e2e3908a4dd961367bc5897f52a4fc7b28fc3232ef887c73a2379ab3ecd9a81
                                                                                                                                                                            • Instruction ID: 8427c8e1b3323411e60e320db90be9f39bf188e506bdb6a3a811089cbc80fa59
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e2e3908a4dd961367bc5897f52a4fc7b28fc3232ef887c73a2379ab3ecd9a81
                                                                                                                                                                            • Instruction Fuzzy Hash: AA21D4B1E00219ABCB24DFAAD8809AEFBF9FF99710F10412EE405A7254DB749941CF54
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                            • Instruction ID: 157c3226c56c9792e13da7f0563adddf03877fa680374fd48957f6a839753d17
                                                                                                                                                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                                            • Instruction Fuzzy Hash: 46216A72A0020AAFDB129F98CC80BEEBBBEEF88311F244459F901A7251D734D9918B50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                            • Instruction ID: ef359d0b9f8551fd334df26c59769fcd8dfbdf5311d674fbfda2743a337f36a2
                                                                                                                                                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                                            • Instruction Fuzzy Hash: 31110173601605BFE7229F88CC40F9ABBB9EB80755F10002DFE018B280E671ED44CB65
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 64f9f2282f15afc04147de8e3c7a5ce93ace6cb9f2d26efe54525e45fec0bae0
                                                                                                                                                                            • Instruction ID: 7564f8bc13e155144a5de5e2433cfda1367d4d3928a11bced8ad23245185a3c7
                                                                                                                                                                            • Opcode Fuzzy Hash: 64f9f2282f15afc04147de8e3c7a5ce93ace6cb9f2d26efe54525e45fec0bae0
                                                                                                                                                                            • Instruction Fuzzy Hash: D211B271701A319BDB11CF4DCC80A6ABBEDAF5A710B19406DEE089F305D7B2D9018F90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                            • Instruction ID: 14410992161741f3bfbb3e624077dd7d9e3ac72b8b4a889d6eb2af9a95367527
                                                                                                                                                                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                                                            • Instruction Fuzzy Hash: C2218B72600641DFDB758F89C940A66FBE6EB94B10F148A3DE94A87710E730EC01CB80
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2c428bd23cb319fa6cf14ce09c72bacedef094e0d9cdfbf3a02c4b086952c149
                                                                                                                                                                            • Instruction ID: 87d7bb335dc30582ee92442e66c20209651ac72be2a7b777f2b832fc03e447ff
                                                                                                                                                                            • Opcode Fuzzy Hash: 2c428bd23cb319fa6cf14ce09c72bacedef094e0d9cdfbf3a02c4b086952c149
                                                                                                                                                                            • Instruction Fuzzy Hash: 0E214C75A00616DFCB14CF58C981AAABBF9FB88319F34816DD105A7391C771AD16CF90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 72024d4c2afa6640f15083521983167a89511fe93445aefd4285991c78bec079
                                                                                                                                                                            • Instruction ID: 8559f71f09d5b8ec0c1170d2191fa429fecf6207188be17b1a14de3d885f3d70
                                                                                                                                                                            • Opcode Fuzzy Hash: 72024d4c2afa6640f15083521983167a89511fe93445aefd4285991c78bec079
                                                                                                                                                                            • Instruction Fuzzy Hash: E9216A71600A00EFD7608F69CC80B66B7E9FB84350F84882DE9AAC7650DB70E841CB64
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 755185fd4f447eb454d73b7dcabff4dfb5e7d69eeacee646da23fdd5b57269c1
                                                                                                                                                                            • Instruction ID: 3eb40640323d053b30c1112d8725e487ba5f7178b64a32e40b980d01a34b50aa
                                                                                                                                                                            • Opcode Fuzzy Hash: 755185fd4f447eb454d73b7dcabff4dfb5e7d69eeacee646da23fdd5b57269c1
                                                                                                                                                                            • Instruction Fuzzy Hash: 2F119132240515EBD722EB9DCD80FDA77A9EB95660F114029F2059B251DA70E941C7A0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0c06bb0bd38046b6a8f0b30f83706f4f73c7d4aa40e047126981ec83f8121b4f
                                                                                                                                                                            • Instruction ID: d7e75b6f5b2c0caa794b950fc8831e6da550b377bb56b3f4ed0320b85e8db3a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 0c06bb0bd38046b6a8f0b30f83706f4f73c7d4aa40e047126981ec83f8121b4f
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A112637305114AFCB19DB29CC81A6BB267EFD6374B25453DEA22CB391EA71D842C394
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: db533a0ce8437c27b7b29f09a8b7e34ec620369a5c7f2f75bfe3545f51c65d8e
                                                                                                                                                                            • Instruction ID: b820310ce6899f9fa842c351c6c9b9f8c9e7d67d99d81be6d9e707bea5cc10df
                                                                                                                                                                            • Opcode Fuzzy Hash: db533a0ce8437c27b7b29f09a8b7e34ec620369a5c7f2f75bfe3545f51c65d8e
                                                                                                                                                                            • Instruction Fuzzy Hash: BA11BC76A012059BCB65CF59CD80A6ABBE9AB84620F41807DED059B311E770DD00CBA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                            • Instruction ID: 0edaf4779cbb109d7ad1ea36c5bcd8ec38fcc8b0a29c67ee8990f5dfd5f8e609
                                                                                                                                                                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                                                            • Instruction Fuzzy Hash: 08110436A10905AFDB19CB98CC05B9DBBF6EF84310F058269EC4597380E671AD11CBC0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                            • Instruction ID: be80aa101ad0c63d347a3bc4c24b28879f5e200c141be5c056d3499072a45f84
                                                                                                                                                                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                                                            • Instruction Fuzzy Hash: F721E2B5A00B059FD3A0CF29C840B52BBE4FB48B10F10492EE98AC7B40E371E814CB94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                            • Instruction ID: 7720133affdc565300b75cf0c0a4f19f5e45934ee3799fc8dc8ea5f9c2701471
                                                                                                                                                                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A11C232600601EFE7219F48CC40B56BBE6EF85754F46842CEA0A9B260DB32DD40DFA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 51360da2fc8236184c7304c477dea884131305a3c05ffb8d5a4f64e12cbe06c7
                                                                                                                                                                            • Instruction ID: bb76ccb2447c567ea80c43d2abf1f7fe20e056e5b7f956f022378d2038677fc5
                                                                                                                                                                            • Opcode Fuzzy Hash: 51360da2fc8236184c7304c477dea884131305a3c05ffb8d5a4f64e12cbe06c7
                                                                                                                                                                            • Instruction Fuzzy Hash: CE010472605645AFF316A6ADEC98F6B7A8DEF80390F160069FD00CB341DA14DC01C275
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 67f357dead2792246e84333172c30f3925a10ffcdbe830539cba519339c3fd36
                                                                                                                                                                            • Instruction ID: 7f8514ef4ce3d7fe5a78bf12822abd4a14a425a3ad45cf8fa9812d51baeda750
                                                                                                                                                                            • Opcode Fuzzy Hash: 67f357dead2792246e84333172c30f3925a10ffcdbe830539cba519339c3fd36
                                                                                                                                                                            • Instruction Fuzzy Hash: 7311C236200A65AFDB25CF59DC80F667BA9EB85764F004519FA288B750CB71E800CF60
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ee5a55da8d91936379d856e41fb39d1889ab4d8d907f2460e2694510ed1b0706
                                                                                                                                                                            • Instruction ID: 082e86b85590d4cb0f8f9fd823aab096b2a884122df29baa80a2df2fcf63a289
                                                                                                                                                                            • Opcode Fuzzy Hash: ee5a55da8d91936379d856e41fb39d1889ab4d8d907f2460e2694510ed1b0706
                                                                                                                                                                            • Instruction Fuzzy Hash: A011E0322006059BD7229A29DC44B67B7A6FFC4210F14442DEB4287B91DF30A802CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: de24391a5249a0ebe51175bdf7153b8b3b048738d99a74042c9a0ed90ccdebbe
                                                                                                                                                                            • Instruction ID: 95f9369d0c928d7d685a2d5b55a0e63953674ac4a999cd1b257d94bbf3ef20ff
                                                                                                                                                                            • Opcode Fuzzy Hash: de24391a5249a0ebe51175bdf7153b8b3b048738d99a74042c9a0ed90ccdebbe
                                                                                                                                                                            • Instruction Fuzzy Hash: 8111CE72A01626ABDB21DF59CD80B5EFBB9EF88750F900068EE01A7300D730AD01CBA5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0569ef2a552e51e069a3d7431bf331dd3bb2dfb4a02e4a7624d90b6843e9ff55
                                                                                                                                                                            • Instruction ID: 11fb1ab6ea9b9969f7724a7f04dab5990f716b34b4a45791b02320c0a15e2192
                                                                                                                                                                            • Opcode Fuzzy Hash: 0569ef2a552e51e069a3d7431bf331dd3bb2dfb4a02e4a7624d90b6843e9ff55
                                                                                                                                                                            • Instruction Fuzzy Hash: 9201D27150010A9FC329DF1CD844F26BBFAFBC6724F20816EE0048B264D7749C82CB94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                            • Instruction ID: 54f8179331011726ab4b46c89674e138461f5b74e4b4dd9d0599dc1afdf383ff
                                                                                                                                                                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                                            • Instruction Fuzzy Hash: B3118E722016C2DBEB26A72CDD58B257B94FB41758F1901E0EE41CB792F72EC842C2A0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                            • Instruction ID: 91c1d9b6fd424ffe47dbd65f181c33a0aa0d836e0fb984e3fab2670320275928
                                                                                                                                                                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                                            • Instruction Fuzzy Hash: 89019236700615AFE7219F58CC40F7A7EAAEB85750F458428EA059B260E772ED41CF94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                            • Instruction ID: 1fc1c22084cdd101d16e8724c362ebc1707614342a24113f20feacf6cb93cd3c
                                                                                                                                                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                                            • Instruction Fuzzy Hash: F00126714067619BCB318F59DC40AB27BA9EF55760B08C62DFC958B285C331D401CB60
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4cb087ac9d69072ead517004126850c60c3d2660bdc7d6eba37c6807c3ca4280
                                                                                                                                                                            • Instruction ID: a4fccbc8259fed37d647ae07b414b4ceec3258ca47f8bc2c098d1cdbac3879c9
                                                                                                                                                                            • Opcode Fuzzy Hash: 4cb087ac9d69072ead517004126850c60c3d2660bdc7d6eba37c6807c3ca4280
                                                                                                                                                                            • Instruction Fuzzy Hash: 7C01D6726415019FC732DF1CDC40E13B7A9EB91770B15425DEA689B696EB30D801C7D0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: bc0131e0e2fa1b4c7a1be9584749a12cd38fce75c68bc95a5c60efb2d84a45a2
                                                                                                                                                                            • Instruction ID: 33439ecc6663618f2f242490c3657edf40226af28d1b20243128d9ebff8a3592
                                                                                                                                                                            • Opcode Fuzzy Hash: bc0131e0e2fa1b4c7a1be9584749a12cd38fce75c68bc95a5c60efb2d84a45a2
                                                                                                                                                                            • Instruction Fuzzy Hash: E711AD32241641EFDB15EF19CD90F16BBB9FF58B44F2000A9F9059B661C336ED01CA94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d41e300aff6ba72f0c5bf6c6e6c19ebe9ebc5865c064a27dc275f26db38ac285
                                                                                                                                                                            • Instruction ID: 301df78779f7e555342fb49b0086fa417c56455ab81b2f4cd65e687ad9f07f5b
                                                                                                                                                                            • Opcode Fuzzy Hash: d41e300aff6ba72f0c5bf6c6e6c19ebe9ebc5865c064a27dc275f26db38ac285
                                                                                                                                                                            • Instruction Fuzzy Hash: 1311C270502229ABDB25EF28CC51FE87379FF04714F5081D8A718A61E0D7709E81CF88
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 450e5137e5c1d82b8166378f0406980dc34af4d7f0f56dd2f3273925dd5dc809
                                                                                                                                                                            • Instruction ID: 19aae316fc665b2dec3608e027daaedb4738e8d93d19a389f55f1ae6bfd235c8
                                                                                                                                                                            • Opcode Fuzzy Hash: 450e5137e5c1d82b8166378f0406980dc34af4d7f0f56dd2f3273925dd5dc809
                                                                                                                                                                            • Instruction Fuzzy Hash: D5112973900119ABCB15DB98CC80DDFBB7DEF48258F044166E906E7211EA34EA55CBE0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                            • Instruction ID: cce6d9155c1fb802c17a5b07d6f950e247d51d3b9a9a1b33b884630d857824fd
                                                                                                                                                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                                            • Instruction Fuzzy Hash: 7101F1326005208BEF118A6DDC90EA2776BBFC4600F1540ADEE158F346DB758C81CBA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 25739f8b2efa938a31f3d5ee8c93a5b808291cc3c0c5e5b9d3f16c2ef711e10e
                                                                                                                                                                            • Instruction ID: caf41215a902f47478259165faf324d6ce1b88595b963b953e4a406e2aeeb364
                                                                                                                                                                            • Opcode Fuzzy Hash: 25739f8b2efa938a31f3d5ee8c93a5b808291cc3c0c5e5b9d3f16c2ef711e10e
                                                                                                                                                                            • Instruction Fuzzy Hash: 4611A1326441469FD711CF58D880BE6BBB9FB9A314F08C159E8498B316D732EC91CBA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7ff033d6aa87b79a51fd6c82e8732e60ed7a137010d3a327b4abb76fd20c1f27
                                                                                                                                                                            • Instruction ID: 64cd7ad88e6e38261f5b1c6dab01828e5b1d1f0e16a0ecaee0ee9c28f2c12f2a
                                                                                                                                                                            • Opcode Fuzzy Hash: 7ff033d6aa87b79a51fd6c82e8732e60ed7a137010d3a327b4abb76fd20c1f27
                                                                                                                                                                            • Instruction Fuzzy Hash: A11118B1E002099BCB00DFA9D941AAEBBF8FF58250F10806AA905E7351D674EE01CBA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f0bde2da9e81ff720ad2cd43ffd38af151228b4b1fb3459d1e74d8b718c07a12
                                                                                                                                                                            • Instruction ID: 1276ee9b32b09b234c5ea0984c6bd76d3f729567479239ff0e2ae3b600624718
                                                                                                                                                                            • Opcode Fuzzy Hash: f0bde2da9e81ff720ad2cd43ffd38af151228b4b1fb3459d1e74d8b718c07a12
                                                                                                                                                                            • Instruction Fuzzy Hash: 7B01B1321402119FCB32AF5D8C50936BFBAFF91E60B04442EE9555B351CB229C41CB91
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                            • Instruction ID: c8ae59a2e3330cbdaebd2db0c1d0df4dadfeb78a768ff84ee3cca20133c20b33
                                                                                                                                                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B01D8322007459FEB2296A9DD40EAB77EAFFD6654F04881DAA468BA40DF75E402CB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5bbe746b04433f27a0e62c13e13c129acca2cb7560cfe223e013227814c0c229
                                                                                                                                                                            • Instruction ID: 42d2a0bf636fec1f724514a734cc1113647a3cc7639d6cead0f459e5880344a8
                                                                                                                                                                            • Opcode Fuzzy Hash: 5bbe746b04433f27a0e62c13e13c129acca2cb7560cfe223e013227814c0c229
                                                                                                                                                                            • Instruction Fuzzy Hash: 93116D75A0020DEBCF05DFA8CC50BAEBBBAEB45284F00405DEA0197350DB35AE11CB90
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3015513d1740b90757675114a6ec656c1a73f68736e8696c981add9ad6709da9
                                                                                                                                                                            • Instruction ID: 665d4a6b2a12c6fea47ee7c81800b534a44671e96fc7c822b5dc9f5ebf44fad1
                                                                                                                                                                            • Opcode Fuzzy Hash: 3015513d1740b90757675114a6ec656c1a73f68736e8696c981add9ad6709da9
                                                                                                                                                                            • Instruction Fuzzy Hash: F501DFB2241A02BBD711AB2ECD80E53BBADFB986A4B00062DB50583651DB24FC11C6A8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a5db5d953a30f1fa4aabc89135aac3a1579a3dd3778e654a151b1af0896c91ef
                                                                                                                                                                            • Instruction ID: da05d66013301281500a154096af2cb92b6d1a7632a460e2634832906921ea50
                                                                                                                                                                            • Opcode Fuzzy Hash: a5db5d953a30f1fa4aabc89135aac3a1579a3dd3778e654a151b1af0896c91ef
                                                                                                                                                                            • Instruction Fuzzy Hash: AC01FC322142169BD720DF6EDCC89A7FBACFF99660F114129ED5987380E7309951C7D1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e4471af0b228601dd5c692aa3da2b804a5c66915acfa3c4e312a3ade66f64a68
                                                                                                                                                                            • Instruction ID: 48712c5e68e7acd30d474e36a09de374c681dfc0ffa0f8aaba9450178db85566
                                                                                                                                                                            • Opcode Fuzzy Hash: e4471af0b228601dd5c692aa3da2b804a5c66915acfa3c4e312a3ade66f64a68
                                                                                                                                                                            • Instruction Fuzzy Hash: B3111B75A01209ABDF15EF68DC44EAE7BBAEB59250F004059F90197350DB35ED11CB94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 86f7b38a57f4a184c7f0bb99e314476d7b3c2898f265e027596481611efdd0b7
                                                                                                                                                                            • Instruction ID: ed5d4facae18dc832ea2994d9dc17876a638d5fb3487bcd7ff35e2b76ed9c648
                                                                                                                                                                            • Opcode Fuzzy Hash: 86f7b38a57f4a184c7f0bb99e314476d7b3c2898f265e027596481611efdd0b7
                                                                                                                                                                            • Instruction Fuzzy Hash: 3B1139B16183099FC700DF69D841A5BBBF8FF99710F40851EB998D7391E630E901CB96
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 59a7415a9010eb528870c5290d7a3426876d36c41de2717091c59f94f32533c2
                                                                                                                                                                            • Instruction ID: b39549688666d0033fc1cc83c64838a8c2538078e905e2f558945dfe86a2340e
                                                                                                                                                                            • Opcode Fuzzy Hash: 59a7415a9010eb528870c5290d7a3426876d36c41de2717091c59f94f32533c2
                                                                                                                                                                            • Instruction Fuzzy Hash: C41179B16083089FC300DF69D841A5BBBF8FF99350F00851EBA58D73A4E630E900CB96
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                            • Instruction ID: c07f760d013db8ef19a0f55a4e0c07d21e75efa0dac933b5c81db8c0918cbb7e
                                                                                                                                                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                                            • Instruction Fuzzy Hash: F1018B32200680DFE322871DCE48F26BBE8EF94764F0904A6F905CB7A1D739DC41CA25
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d82b15eb158864e2d77919290c66ea35952b4d2d4274be3933def68cbdba649d
                                                                                                                                                                            • Instruction ID: 4bf0eaa01db59bb89fb5cf032c8b000cd76ec207405d0ee1a80035a785ef81a8
                                                                                                                                                                            • Opcode Fuzzy Hash: d82b15eb158864e2d77919290c66ea35952b4d2d4274be3933def68cbdba649d
                                                                                                                                                                            • Instruction Fuzzy Hash: 36018F317105059BD715EF69DC109AABBAEFF81620F5980699A01A7798EE20DD02C694
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: b2ecd00c2dc56ea74dd17eff94e079f6a7a7b4fad22f08866898d0bc11df1a33
                                                                                                                                                                            • Instruction ID: 85ab2c29366ef9096b33c0c37ed1564dc6f88a5422bb9dca5e0890dca5fb8621
                                                                                                                                                                            • Opcode Fuzzy Hash: b2ecd00c2dc56ea74dd17eff94e079f6a7a7b4fad22f08866898d0bc11df1a33
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D018FB1284601AFD3315B19DD50B22BAB9EF95F60F05442EB2169B390D7B1A8418B68
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 025dbcc6e91b5d88cc4667d576eb0dff0684e1d1138346ce9b348d1fb6c084d2
                                                                                                                                                                            • Instruction ID: 5a67bd4cf47d0f0547f85042cb5d512d6d4cce957957015ce90813fffe27bd57
                                                                                                                                                                            • Opcode Fuzzy Hash: 025dbcc6e91b5d88cc4667d576eb0dff0684e1d1138346ce9b348d1fb6c084d2
                                                                                                                                                                            • Instruction Fuzzy Hash: 65F0A433A41B21B7C7319B5A8D50F57BAAAEBC4B90F15842DE606A7740DA34ED01CAA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                            • Instruction ID: 6e88c0e01b46e890c05b090dd98b440f11268dad550fd637c3b3b19c44a3585a
                                                                                                                                                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                                            • Instruction Fuzzy Hash: 92F062B2601615ABD328CF4DDC40E57FBEEDBD5A90F05812DA555D7320EA31DD05CBA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a754ad86a7b7228dac79a62fad5b118a81e54a2522501f8832f492284a7b551d
                                                                                                                                                                            • Instruction ID: 5c062f96e283f9ceb12ce10ba2cdb825ab6ee17d45f382049c5675fa73bfe1b2
                                                                                                                                                                            • Opcode Fuzzy Hash: a754ad86a7b7228dac79a62fad5b118a81e54a2522501f8832f492284a7b551d
                                                                                                                                                                            • Instruction Fuzzy Hash: 38012176A10209ABDB04DFA9D951A9EB7F8FF58704F10405AE904E7350D6749A018BA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                            • Instruction ID: 20e5c249db115cf97c134ee0d0eb5f6dca3ae0c6010ea47362951b4820ff6788
                                                                                                                                                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                                            • Instruction Fuzzy Hash: D1F02B33284A339BD7325A9D4C40B2FAA9A9FD1B64F1E0039F2099B74CCA658D0397D0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4192285dea0a92dac813158ed676254244fc85c411f82acb43d2eb4578afeb8e
                                                                                                                                                                            • Instruction ID: 89fd39f42cdf809fa47def846fa389f30da4bb84228c50cd083b39c6618ddd1d
                                                                                                                                                                            • Opcode Fuzzy Hash: 4192285dea0a92dac813158ed676254244fc85c411f82acb43d2eb4578afeb8e
                                                                                                                                                                            • Instruction Fuzzy Hash: 40014475A10209EFCB04DFA9D951AAEB7F9FF58304F10805AF904E7351D674AE01CBA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a7d360a58d26b206584a9361827ac99da1857a0cacc1a07ca14397588a462b85
                                                                                                                                                                            • Instruction ID: 68a54f6a9c0fe3ea2447e96272ee55590975c57ecaa057428bdeca458c42af73
                                                                                                                                                                            • Opcode Fuzzy Hash: a7d360a58d26b206584a9361827ac99da1857a0cacc1a07ca14397588a462b85
                                                                                                                                                                            • Instruction Fuzzy Hash: C6014471A00209EFDB04DFA9D945A9EB7F8FF58304F50405AFA14E7350D6749D01CBA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                            • Instruction ID: b877054225ef4e3350f45bcc1562641029af9934b5ce7729de936fe31b072a35
                                                                                                                                                                            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                                                            • Instruction Fuzzy Hash: 4701D1322016899BE722971DCD09F59BF9DEF82B50F0840A9FE04CB7A1D77AC801C614
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b627fec25eb6c257f11bb661ccd3427e14fda07872aab31bb01d22e531437400
                                                                                                                                                                            • Instruction ID: ab05798bc39431e93aed1aa5a08349eb7750dde63312b09564f159c227f0e74c
                                                                                                                                                                            • Opcode Fuzzy Hash: b627fec25eb6c257f11bb661ccd3427e14fda07872aab31bb01d22e531437400
                                                                                                                                                                            • Instruction Fuzzy Hash: EC014F71A002499BDB04DFA9D945AEEBBF8FF59310F14405EE505E7380D774EA01CB98
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                            • Instruction ID: ab26306ed7abc651caa3486531b9fbdb3f63f89b3d691d0ae7b1c26bf4fdd2a0
                                                                                                                                                                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                                            • Instruction Fuzzy Hash: 63F01D7220001EBFEF019F94DD80DAF7B7EEB59298B144129FA1192160D635DD21ABA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a97a19f1e511e6cac47997f9e3e7c49fcdf049b4e51916ca43bc9068e806d256
                                                                                                                                                                            • Instruction ID: 7a96578ee20f513b93201952295299f1c8610d7e4bf7d31fecfe129c23fc849b
                                                                                                                                                                            • Opcode Fuzzy Hash: a97a19f1e511e6cac47997f9e3e7c49fcdf049b4e51916ca43bc9068e806d256
                                                                                                                                                                            • Instruction Fuzzy Hash: 41018536100209ABCF229E88DC40EDA3F66FB4C664F068106FE1866220C332D971EF81
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4d5211fa5dbed6554b29c64cfdf4c556343e15259fa8762b85e5fdb01b01f988
                                                                                                                                                                            • Instruction ID: ede7ed8462e34303b96b5b381ac32028d9346f49bbb73c373df0cc580f1066d2
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d5211fa5dbed6554b29c64cfdf4c556343e15259fa8762b85e5fdb01b01f988
                                                                                                                                                                            • Instruction Fuzzy Hash: 13F024712C42415BF310962D8C12F2632E6F7D4662F69842EEB058F3C5EA70DC0183A4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: dd8c275911cada6874f0d7bc4020c47943611fadd754df09e79c65f5c80e9089
                                                                                                                                                                            • Instruction ID: fa091f8a5dd776bde04385ee24cd51de919a09430703540afb45468368ef0dee
                                                                                                                                                                            • Opcode Fuzzy Hash: dd8c275911cada6874f0d7bc4020c47943611fadd754df09e79c65f5c80e9089
                                                                                                                                                                            • Instruction Fuzzy Hash: 3401AF702406819BE7669B3CCE58B2537A9BB81B48F984194BE41CBBE6DB28D842C614
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                            • Instruction ID: c1ca94ce74311bf3f10d901a67da3aed31de444ff8f4bc22200474c277e1101e
                                                                                                                                                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                                            • Instruction Fuzzy Hash: 26F0893574192347EB75FA2F9C30B3EAA56DFD0E51B15062C9559CB780DF60DC018794
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                            • Instruction ID: 08d0dc6a507cf316ec65b43cebbc3d2ad2e613624d2d7dc1e1e8c8d378320bc9
                                                                                                                                                                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                                                            • Instruction Fuzzy Hash: 35F089337515119BD3319A4DCC80F16B769EFD5A60F9B0169A6049B360C765EC02CFD0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ba071a6a2772f469a778141787e08d1b2fe150a32fc305c82af0806e5eafa3c6
                                                                                                                                                                            • Instruction ID: c55d5164d93735a7c0db3d2e8082938231a5e3a3e25c2a7cf69cf00438b71716
                                                                                                                                                                            • Opcode Fuzzy Hash: ba071a6a2772f469a778141787e08d1b2fe150a32fc305c82af0806e5eafa3c6
                                                                                                                                                                            • Instruction Fuzzy Hash: 8EF0C2716093049FC310EF28C945A1BBBE4FF99710F80465EB898DB394EA34ED01CB96
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                            • Instruction ID: 930f54c2a66d26ae36a9dc6771e094602c0d9e0d0a97ed9938cba09b0e72e7af
                                                                                                                                                                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                                                            • Instruction Fuzzy Hash: F9F0E972610204AFE714DF25CC01F56B7EAEF98354F258078A945D72A4FBB0ED01C654
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6c55dc9dfb0cee85491d0cce66333e7be753ecfa805c1dd8c35105e1f38a0a1e
                                                                                                                                                                            • Instruction ID: 9e82741e926c5b5e3a7a776cbd6394de223318bfe4b10f575769edde95eb3222
                                                                                                                                                                            • Opcode Fuzzy Hash: 6c55dc9dfb0cee85491d0cce66333e7be753ecfa805c1dd8c35105e1f38a0a1e
                                                                                                                                                                            • Instruction Fuzzy Hash: 22F0C270A0020DDFCB04EF69C915A9EB7B4FF18300F008059B805EB385DA38EE01CB54
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 10607765637c9d97cc29ff9bade75362de4e7cfeb0277b38819b64ecf0f38de9
                                                                                                                                                                            • Instruction ID: 698eb4e9b96ebea5e116dea2cd2ecbcfb0a2e103f1834c7b882b442aadcf041e
                                                                                                                                                                            • Opcode Fuzzy Hash: 10607765637c9d97cc29ff9bade75362de4e7cfeb0277b38819b64ecf0f38de9
                                                                                                                                                                            • Instruction Fuzzy Hash: 8CF09031926EF19FE7228B5CCC44BA27FD89B01660F0B496AD94987602CFACD880CE51
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d0853933235363aa4882fc5045dac283a1b9a6c254dd8f8b343dbe0ade3859d9
                                                                                                                                                                            • Instruction ID: 733e76ff19b44fb3b552ea1d2825c751e581446df354bc337266fc74e18b66d8
                                                                                                                                                                            • Opcode Fuzzy Hash: d0853933235363aa4882fc5045dac283a1b9a6c254dd8f8b343dbe0ade3859d9
                                                                                                                                                                            • Instruction Fuzzy Hash: 3FF0A76691B68117CF326B6CBC583D17BA7A752124F1A558DF4A15F345C6F4C483C324
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fe34a2d478a1b269358a82b2853a6bf2f82624378efba4d5c655dc63fcbdcb50
                                                                                                                                                                            • Instruction ID: 3cef6cb224e71676a9bfc13c87ffde5e85c3ff35f414d4fcf3d020b049196738
                                                                                                                                                                            • Opcode Fuzzy Hash: fe34a2d478a1b269358a82b2853a6bf2f82624378efba4d5c655dc63fcbdcb50
                                                                                                                                                                            • Instruction Fuzzy Hash: 15F0E2755117719FE3A29B1CCD48B517BDCAB41BA0F099429DD0687612C764EA81CA70
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                            • Instruction ID: 3f7da2704c4d5ae72b1de4b6da9bd4ffd69d3465c20ca1d29d910295a66e2a90
                                                                                                                                                                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                                            • Instruction Fuzzy Hash: 55E0D8323006012BE7119E598CD0F47776FDFD2B10F04007DB9049F252CAE2DC0983A8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                            • Instruction ID: d3e96b3e705f63f017eb404f7e9c09676ab13511516762a83d44627e6159026f
                                                                                                                                                                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                                            • Instruction Fuzzy Hash: 28F06572104204DFE3218F0ADE84FA2B7F9EB55364F45C029E6099B661D379EC80CFA4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                            • Instruction ID: 881ccaf08e2ef839d2d7ae0765ff0bc0409d21ba975088340e0d50e4e29326f6
                                                                                                                                                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                                            • Instruction Fuzzy Hash: 16F0ED7A204B559BEB16CF19D840AE57BA9FB49360F000098F8428B301EB36E982CF94
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                            • Instruction ID: 4df9ede5390e65404249999bd9934e76976aee7c1311d28824b74e3eb5a32a5a
                                                                                                                                                                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                                                            • Instruction Fuzzy Hash: D7E0D832244145ABD3E15A598C00B6677A6DBD07A0F150469EE098B258FF70DCC1C7EC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8b288d3eeada1933846ac224ed66ffc5258121295757d7229f2d69c600c49e9a
                                                                                                                                                                            • Instruction ID: 9718024d68a3209152209cb850f9be65aa120c71c8e2ab033a4b42ecbcbe924f
                                                                                                                                                                            • Opcode Fuzzy Hash: 8b288d3eeada1933846ac224ed66ffc5258121295757d7229f2d69c600c49e9a
                                                                                                                                                                            • Instruction Fuzzy Hash: 99F02B31A259918FE772D72CDE80F6377E0AF10631F0A055CD5008BF16CB24DC40C650
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                            • Instruction ID: 4fe90ff62436bd33af92e3c0a0d88881b458894c8ab1e8b9e4ad46055dfb9a7f
                                                                                                                                                                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                                            • Instruction Fuzzy Hash: 51E0DF32A00110BBDB21A799CD01FAABEADDF90EA0F050098BA02E7290E530DE00C6A4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                            • Instruction ID: c22609b2e536bf243d7121ebd321e2a53714abf83469fcd2a372b1cf1c150a16
                                                                                                                                                                            • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                                                            • Instruction Fuzzy Hash: 79E09B316403508BCF258A1DC941A53B7EEDF95661F16806DEA1547713C331F843C6D0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: f268014f5b36dd47205359f7be8fc84b7b9aa6172b175031e908054a826666ec
                                                                                                                                                                            • Instruction ID: ac89d9ff6d4360a035e89b91db0c607bc7769fc531e1fbe000be121a3dbb5944
                                                                                                                                                                            • Opcode Fuzzy Hash: f268014f5b36dd47205359f7be8fc84b7b9aa6172b175031e908054a826666ec
                                                                                                                                                                            • Instruction Fuzzy Hash: DFE092721009649BC321BB2ADD11F8A779BEBA0364F01451DF11557190CB34A810CB88
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                            • Instruction ID: 11075065e1952e5a71b727dee611c90a3d2445752fccacb43a72d6b9d5f571e0
                                                                                                                                                                            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                                            • Instruction Fuzzy Hash: 9EE09231411611DFE7326F6ACC48B527BE6FF90711F148C2CA096026B0C77598C0CA84
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                            • Instruction ID: 3e54f2af64bcba3538ff31bcdac1f988267824f8cb2536bf98f42b7b8837fced
                                                                                                                                                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                                            • Instruction Fuzzy Hash: C9E0C2343403058FE715CF19C840B627BB6BFD5A10F68C068A9488F305EB72E842DB50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 32e6c360de6b8f9f6226271e6501f8c22bf10e250ad6ee5f4e99511991abbe8f
                                                                                                                                                                            • Instruction ID: 1a0580ef3ef2e139f4e1af32d1e53bab0d7539e59d598f1dc568c1d2eaf02ede
                                                                                                                                                                            • Opcode Fuzzy Hash: 32e6c360de6b8f9f6226271e6501f8c22bf10e250ad6ee5f4e99511991abbe8f
                                                                                                                                                                            • Instruction Fuzzy Hash: A7D02B328851306ACFB5E11C7C04FD33E5E9B40320F018870FE0893011D554CC8282D8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                            • Instruction ID: 8bd124ecb3fd4c40624c7c9645de8e39823c2930c51d04a079230b39bd17d2d5
                                                                                                                                                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                                            • Instruction Fuzzy Hash: 2AE0C231000A10EFDB332F16DC10F9176AAFF94B10F24882DE081171A887B4AC82CB88
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 1dc954f8d7f76370de5ca63e9d7873f68480679358ddafcd3c04e67fab172053
                                                                                                                                                                            • Instruction ID: 5be32a6d9f4c4cd01f49a0650df9767827579cad59d1330ae1e4a356a68a6b4d
                                                                                                                                                                            • Opcode Fuzzy Hash: 1dc954f8d7f76370de5ca63e9d7873f68480679358ddafcd3c04e67fab172053
                                                                                                                                                                            • Instruction Fuzzy Hash: BCE0C2332018606BC321FB5DDD10F4A739FEFA4370F014229F15187690CA64AC00CB98
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                            • Instruction ID: 71672e3dd4ff03d6310fdac111b6c7eaa09e0f07bb39de863a608dd33b25b281
                                                                                                                                                                            • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                                                            • Instruction Fuzzy Hash: 95D05E36511A50AFD3329F1BEE00C13BBF9FBC4A10705062EA54683A20C770AC06CBA0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                            • Instruction ID: 6b39d9ed5fece23d79bc538b520984440872c2af2e3942d0866b4facff303685
                                                                                                                                                                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                                            • Instruction Fuzzy Hash: C8D0A932214620ABDB32AA1CFC00FC333E9BB88720F06049DB008C7250C364AC81CA88
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                            • Instruction ID: 261ca165073b70a64b38ccfc00219d2c4e8ec5d45258915e882e66f3dc6c8076
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                                                            • Instruction Fuzzy Hash: 65E0EC359506849BDF12DF59CA40F5ABBB9BB94B40F150058E1485B760C729A901CB40
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                            • Instruction ID: 789f5f1680e15a080f92ed7b80784af8b162c92997de546153101606f2931d68
                                                                                                                                                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                                            • Instruction Fuzzy Hash: 00D022322130B093CB2856956D00F636906ABC0A95F0E002C340AD3A04C1088C43C2E0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                            • Instruction ID: b74b561ed14007ae4850f22878b33bac0c054c025650e2c380f219e9374e2e5b
                                                                                                                                                                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                                                            • Instruction Fuzzy Hash: F8D012371D054DBBCB119F66DC01F957BA9E7A4BA0F444020B504875A0C63AE950D584
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8402c59f4b9b08bf17d47a4cee71184ed920c68a131fac3b0b09881a8816bcd9
                                                                                                                                                                            • Instruction ID: a404c57320229bc4e9c0831339156d6dda36f20859e8805bed6b6b2b1de2793f
                                                                                                                                                                            • Opcode Fuzzy Hash: 8402c59f4b9b08bf17d47a4cee71184ed920c68a131fac3b0b09881a8816bcd9
                                                                                                                                                                            • Instruction Fuzzy Hash: 90D092356566069BDF6ADB59CE10A6A7ABDEF64B41F4000ACEA0192620E329E8128A50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                                            • Instruction ID: 60e1f7bb0ddddfb67f89f237bdc3a8b8a894f14d7ec525b15cdb0958f99f622a
                                                                                                                                                                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                                            • Instruction Fuzzy Hash: 15D0C935212E80CFD61BCB0CC9A4F1533A8FB84B44F814490F501CBB22DB6CD944CA00
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                            • Instruction ID: 8d1713207b9afe39a1118f65207fb4f56a429ccc5e1fe7d6ad05e7a799aab82a
                                                                                                                                                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                                            • Instruction Fuzzy Hash: F4C01232290648AFC712AA99CD01F027BAAEBA8B40F000021F2048B670C635E820EA88
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                            • Instruction ID: f6e9bdd7ba10a689ab23bf0b4f23373d93f1822ed7c6bc090a5f03c042bd1fc5
                                                                                                                                                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                            • Instruction Fuzzy Hash: 75D01236100249EFCB02DF41C890D9A7B2BFBD8710F108019FD19076108A31ED62DA50
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                            • Instruction ID: 4ad718402088b07d1c68c5da17df28208e58b7615997ce46ff154a33ffa90369
                                                                                                                                                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                                            • Instruction Fuzzy Hash: E6C04C797015418FCF15DB19D794F4577E4F754750F1518D0E805CB721E724E805CA10
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                                                            • Opcode ID: 948af4cab237965f37d761f4e84b4512b4044e34852d258e03040aea7b0814be
                                                                                                                                                                            • Instruction ID: ce194fdff84d1b593d1b185d3136e6137ad8f754359c274ef26e8b7cca4ecd4a
                                                                                                                                                                            • Opcode Fuzzy Hash: 948af4cab237965f37d761f4e84b4512b4044e34852d258e03040aea7b0814be
                                                                                                                                                                            • Instruction Fuzzy Hash: 2851C1A6A00116AFDB11DFAD8CA097EFBBCBB48240714C26DE5A5D7641E334DE44CBA0
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                                                            • Opcode ID: 5592e1dc890cb781fbb9ef2ffa511580059445618b5f1afbd58cf7d94a150669
                                                                                                                                                                            • Instruction ID: b8020b33eb3e15f3bb24b63ce8950c95fa9a03a5598a4e48a96c4c453be463de
                                                                                                                                                                            • Opcode Fuzzy Hash: 5592e1dc890cb781fbb9ef2ffa511580059445618b5f1afbd58cf7d94a150669
                                                                                                                                                                            • Instruction Fuzzy Hash: C651F371E00646AEDB31DF9CCDA097FBBF9EB48200B44846DE996D7741E774EA408760
                                                                                                                                                                            Strings
                                                                                                                                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01694655
                                                                                                                                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016946FC
                                                                                                                                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 01694787
                                                                                                                                                                            • ExecuteOptions, xrefs: 016946A0
                                                                                                                                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01694725
                                                                                                                                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01694742
                                                                                                                                                                            • Execute=1, xrefs: 01694713
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                            • API String ID: 0-484625025
                                                                                                                                                                            • Opcode ID: 81748505eede7396846bc77844bfd639d9d9dbc2a6e5a79c5f8176d04d01ddf4
                                                                                                                                                                            • Instruction ID: f3310e1e7e8f608aa82388ddabfb9bc1c68b09dff8a519509402f7998e2365d1
                                                                                                                                                                            • Opcode Fuzzy Hash: 81748505eede7396846bc77844bfd639d9d9dbc2a6e5a79c5f8176d04d01ddf4
                                                                                                                                                                            • Instruction Fuzzy Hash: 29510A31600219ABEF11ABA8EC95FBE77ADEF15300F44009DDA05A72C1EB71DE468F65
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                                                            • Instruction ID: 5b06a4760e07902274279e7315a06d81189b615bc4b47b6dd06d35dc34a8fee0
                                                                                                                                                                            • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                                                            • Instruction Fuzzy Hash: E8021671508342AFD305CF18C894A6BBBE6FFC8704F04892DFA955B264DB31E905CB56
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                                                            • String ID: +$-$0$0
                                                                                                                                                                            • API String ID: 1302938615-699404926
                                                                                                                                                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                            • Instruction ID: 7e6c579203cbbf6e7dac689b0676e96cd63d7393096f6ad8fc0b519d328bd646
                                                                                                                                                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                            • Instruction Fuzzy Hash: EF81BC30B0525ADEEF258E68CC917BEBFAAAF45320F18411AD961E7391C73898418B65
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: %%%u$[$]:%u
                                                                                                                                                                            • API String ID: 48624451-2819853543
                                                                                                                                                                            • Opcode ID: ff9d13505efff531388e71bbd723e7cf8e02035a98879faaaac71cf3b2a04125
                                                                                                                                                                            • Instruction ID: 54bae808f98891ac4f5ffdb8972747ea4e9e2e1ef3f8917c43491ddd80d68484
                                                                                                                                                                            • Opcode Fuzzy Hash: ff9d13505efff531388e71bbd723e7cf8e02035a98879faaaac71cf3b2a04125
                                                                                                                                                                            • Instruction Fuzzy Hash: 5721517AE00119ABDB11DE79CC50ABEBBF9EF54651F08411EEA15E3200E730DA158BA1
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016902E7
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 0169031E
                                                                                                                                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016902BD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                            • API String ID: 0-2474120054
                                                                                                                                                                            • Opcode ID: ede730f6b424ee3d23fcca0680c96f4c57798f388e9f61b0d04bffd2c63d18da
                                                                                                                                                                            • Instruction ID: 581de54478d748f720d2ed469482b438c5e15d146d55fea0951cd7f1c0f84111
                                                                                                                                                                            • Opcode Fuzzy Hash: ede730f6b424ee3d23fcca0680c96f4c57798f388e9f61b0d04bffd2c63d18da
                                                                                                                                                                            • Instruction Fuzzy Hash: 1EE1AC706087429FEB25CF2CCC84B2ABBE9AB85324F144A9DF5A58B3D1D774D845CB42
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Resource at %p, xrefs: 01697B8E
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 01697BAC
                                                                                                                                                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01697B7F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                            • API String ID: 0-871070163
                                                                                                                                                                            • Opcode ID: 37c71c85a01c7d2c353c794a44ee3679c150a21345beea95a48fbf0f03b8f4c7
                                                                                                                                                                            • Instruction ID: 71dbad531b24956e28806ce13c88416cb21ad28005f482ecf0aee26d1a35915d
                                                                                                                                                                            • Opcode Fuzzy Hash: 37c71c85a01c7d2c353c794a44ee3679c150a21345beea95a48fbf0f03b8f4c7
                                                                                                                                                                            • Instruction Fuzzy Hash: BD41E2317007029FDB25CE2DDC40B6AB7EAEF98710F100A1DE95A9B380DB31E8058F95
                                                                                                                                                                            APIs
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0169728C
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Resource at %p, xrefs: 016972A3
                                                                                                                                                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01697294
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 016972C1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                            • API String ID: 885266447-605551621
                                                                                                                                                                            • Opcode ID: 54ab18484dc5572d79ebe932786b1ba062e5a24c07cb4bfbb56bc6ea30a41664
                                                                                                                                                                            • Instruction ID: a58019a71875c8df013bb04d3e60e89a85a459002bde078bdf8113180cd98075
                                                                                                                                                                            • Opcode Fuzzy Hash: 54ab18484dc5572d79ebe932786b1ba062e5a24c07cb4bfbb56bc6ea30a41664
                                                                                                                                                                            • Instruction Fuzzy Hash: 7F41FF31611206ABCB21CE69CC81B6ABBAAFF94710F14465DFD55EB380DB20E8528BD5
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: %%%u$]:%u
                                                                                                                                                                            • API String ID: 48624451-3050659472
                                                                                                                                                                            • Opcode ID: b3b59becaf48e5cac8cb5c4e0411b9b652b8c16af2df4b35077ad59d9c95e69d
                                                                                                                                                                            • Instruction ID: a9ca8117f4434ac0ad5d50d9d1f46dd98f7ae43ef23e71c0bd84c65ea67bb70d
                                                                                                                                                                            • Opcode Fuzzy Hash: b3b59becaf48e5cac8cb5c4e0411b9b652b8c16af2df4b35077ad59d9c95e69d
                                                                                                                                                                            • Instruction Fuzzy Hash: DB318172A002199FDB20DF2DCC50BEEB7F9EB44610F45455EED49E3200EF30AA548BA0
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                                                            • String ID: +$-
                                                                                                                                                                            • API String ID: 1302938615-2137968064
                                                                                                                                                                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                            • Instruction ID: 2d5b6f16d1d83535f5a6ab1ad42409fe2206da714652ac694a9376635612f62d
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                            • Instruction Fuzzy Hash: 3891B271E0020A9BEB24DF6DCC80ABEBBBDAF84728F14451AE955E73C0D7349941CB51
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000003.00000002.2110209718.00000000015F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015F0000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_3_2_15f0000_Bank swift.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $$@
                                                                                                                                                                            • API String ID: 0-1194432280
                                                                                                                                                                            • Opcode ID: 3211f14d5238881fe04c9304802790714eb01125b0116dcfdd12e549fe93c1a5
                                                                                                                                                                            • Instruction ID: ae7f058f65aced2930810460b94554d605f0b177b4752f2d93c2770d633d53ea
                                                                                                                                                                            • Opcode Fuzzy Hash: 3211f14d5238881fe04c9304802790714eb01125b0116dcfdd12e549fe93c1a5
                                                                                                                                                                            • Instruction Fuzzy Hash: 4C812971D002799BDB31DB54CC54BEABBB8AF48714F1041EAEA19B7280D7709E85CFA4

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:1.5%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                            Total number of Nodes:419
                                                                                                                                                                            Total number of Limit Nodes:15
                                                                                                                                                                            execution_graph 13878 f2562e4 13879 f25636f 13878->13879 13880 f256305 13878->13880 13880->13879 13881 f2560c2 2 API calls 13880->13881 13881->13879 13728 f250b66 13729 f250b6a 13728->13729 13730 f250cb5 CreateMutexExW 13729->13730 13731 f250cce 13729->13731 13730->13731 13882 f253ce2 13883 f253dd9 13882->13883 13884 f254022 13883->13884 13888 f253352 13883->13888 13886 f253f0d 13886->13884 13897 f253792 13886->13897 13890 f25339e 13888->13890 13889 f253595 13893 f259232 NtCreateFile 13889->13893 13896 f25358e 13889->13896 13890->13889 13891 f2534ec 13890->13891 13890->13896 13892 f259232 NtCreateFile 13891->13892 13894 f2534ff 13892->13894 13893->13896 13895 f259232 NtCreateFile 13894->13895 13894->13896 13895->13896 13896->13886 13898 f2537e0 13897->13898 13899 f259232 NtCreateFile 13898->13899 13901 f25390c 13899->13901 13900 f253af3 13900->13886 13901->13900 13902 f253352 NtCreateFile 13901->13902 13903 f253602 NtCreateFile 13901->13903 13902->13901 13903->13901 13506 f25abac 13507 f25abb1 13506->13507 13540 f25abb6 13507->13540 13541 f250b72 13507->13541 13509 f25ac2c 13510 f25ac85 13509->13510 13512 f25ac54 13509->13512 13513 f25ac69 13509->13513 13509->13540 13511 f258ab2 NtProtectVirtualMemory 13510->13511 13516 f25ac8d 13511->13516 13517 f258ab2 NtProtectVirtualMemory 13512->13517 13514 f25ac80 13513->13514 13515 f25ac6e 13513->13515 13514->13510 13519 f25ac97 13514->13519 13518 f258ab2 NtProtectVirtualMemory 13515->13518 13577 f252102 13516->13577 13521 f25ac5c 13517->13521 13523 f25ac76 13518->13523 13524 f25ac9c 13519->13524 13525 f25acbe 13519->13525 13563 f251ee2 13521->13563 13569 f251fc2 13523->13569 13545 f258ab2 13524->13545 13527 f25acc7 13525->13527 13528 f25acd9 13525->13528 13525->13540 13530 f258ab2 NtProtectVirtualMemory 13527->13530 13531 f258ab2 NtProtectVirtualMemory 13528->13531 13528->13540 13533 f25accf 13530->13533 13534 f25ace5 13531->13534 13587 f2522f2 13533->13587 13605 f252712 13534->13605 13543 f250b93 13541->13543 13542 f250cce 13542->13509 13543->13542 13544 f250cb5 CreateMutexExW 13543->13544 13544->13542 13546 f258adf 13545->13546 13547 f258ebc 13546->13547 13617 f24e8f2 13546->13617 13555 f251de2 13547->13555 13549 f258e5c 13550 f24e8f2 NtProtectVirtualMemory 13549->13550 13551 f258e7c 13550->13551 13552 f24e8f2 NtProtectVirtualMemory 13551->13552 13553 f258e9c 13552->13553 13554 f24e8f2 NtProtectVirtualMemory 13553->13554 13554->13547 13556 f251df0 13555->13556 13558 f251ecd 13556->13558 13640 f255382 13556->13640 13559 f24e412 13558->13559 13560 f24e440 13559->13560 13561 f24e473 13560->13561 13562 f24e44d CreateThread 13560->13562 13561->13540 13562->13540 13565 f251f06 13563->13565 13564 f251fa4 13564->13540 13565->13564 13566 f24e8f2 NtProtectVirtualMemory 13565->13566 13567 f251f9c 13566->13567 13568 f255382 ObtainUserAgentString 13567->13568 13568->13564 13571 f252016 13569->13571 13570 f2520f0 13570->13540 13571->13570 13574 f24e8f2 NtProtectVirtualMemory 13571->13574 13575 f2520bb 13571->13575 13572 f2520e8 13573 f255382 ObtainUserAgentString 13572->13573 13573->13570 13574->13575 13575->13572 13576 f24e8f2 NtProtectVirtualMemory 13575->13576 13576->13572 13579 f252137 13577->13579 13578 f2522d5 13578->13540 13579->13578 13580 f24e8f2 NtProtectVirtualMemory 13579->13580 13581 f25228a 13580->13581 13582 f24e8f2 NtProtectVirtualMemory 13581->13582 13583 f2522a9 13582->13583 13584 f2522cd 13583->13584 13586 f24e8f2 NtProtectVirtualMemory 13583->13586 13585 f255382 ObtainUserAgentString 13584->13585 13585->13578 13586->13584 13588 f252349 13587->13588 13589 f25249f 13588->13589 13591 f24e8f2 NtProtectVirtualMemory 13588->13591 13590 f24e8f2 NtProtectVirtualMemory 13589->13590 13594 f2524c3 13589->13594 13590->13594 13592 f252480 13591->13592 13593 f24e8f2 NtProtectVirtualMemory 13592->13593 13593->13589 13595 f24e8f2 NtProtectVirtualMemory 13594->13595 13596 f252597 13594->13596 13595->13596 13597 f24e8f2 NtProtectVirtualMemory 13596->13597 13598 f2525bf 13596->13598 13597->13598 13600 f2526b9 13598->13600 13602 f24e8f2 NtProtectVirtualMemory 13598->13602 13599 f2526e1 13601 f255382 ObtainUserAgentString 13599->13601 13600->13599 13604 f24e8f2 NtProtectVirtualMemory 13600->13604 13603 f2526e9 13601->13603 13602->13600 13603->13540 13604->13599 13606 f252767 13605->13606 13607 f24e8f2 NtProtectVirtualMemory 13606->13607 13610 f252903 13606->13610 13608 f2528e3 13607->13608 13609 f24e8f2 NtProtectVirtualMemory 13608->13609 13609->13610 13613 f252992 13610->13613 13615 f24e8f2 NtProtectVirtualMemory 13610->13615 13611 f2529b7 13612 f255382 ObtainUserAgentString 13611->13612 13614 f2529bf 13612->13614 13613->13611 13616 f24e8f2 NtProtectVirtualMemory 13613->13616 13614->13540 13615->13613 13616->13611 13618 f24e987 13617->13618 13620 f24e9b2 13618->13620 13632 f24f622 13618->13632 13621 f24eba2 13620->13621 13623 f24eac5 13620->13623 13625 f24ec0c 13620->13625 13622 f25ae12 NtProtectVirtualMemory 13621->13622 13631 f24eb5b 13622->13631 13636 f25ae12 13623->13636 13625->13549 13626 f25ae12 NtProtectVirtualMemory 13626->13625 13627 f24eae3 13627->13625 13628 f24eb3d 13627->13628 13629 f25ae12 NtProtectVirtualMemory 13627->13629 13630 f25ae12 NtProtectVirtualMemory 13628->13630 13629->13628 13630->13631 13631->13625 13631->13626 13633 f24f67a 13632->13633 13634 f25ae12 NtProtectVirtualMemory 13633->13634 13635 f24f67e 13633->13635 13634->13633 13635->13620 13637 f25ae45 NtProtectVirtualMemory 13636->13637 13638 f259942 13636->13638 13639 f25ae70 13637->13639 13638->13637 13639->13627 13641 f2553c7 13640->13641 13644 f255232 13641->13644 13643 f255438 13643->13558 13645 f25525e 13644->13645 13648 f2548c2 13645->13648 13647 f25526b 13647->13643 13649 f254934 13648->13649 13650 f2549a6 13649->13650 13651 f254995 ObtainUserAgentString 13649->13651 13650->13647 13651->13650 13818 f24f42e 13819 f24f45b 13818->13819 13827 f24f4c9 13818->13827 13820 f259232 NtCreateFile 13819->13820 13819->13827 13821 f24f496 13820->13821 13822 f24f4c5 13821->13822 13824 f24f082 NtCreateFile 13821->13824 13823 f259232 NtCreateFile 13822->13823 13822->13827 13823->13827 13825 f24f4b6 13824->13825 13825->13822 13826 f24ef52 NtCreateFile 13825->13826 13826->13822 13862 f25baa9 13863 f25baaf 13862->13863 13866 f256212 13863->13866 13865 f25bac7 13867 f256237 13866->13867 13868 f25621b 13866->13868 13867->13865 13868->13867 13869 f2560c2 2 API calls 13868->13869 13869->13867 13828 f25522a 13829 f25525e 13828->13829 13830 f2548c2 ObtainUserAgentString 13829->13830 13831 f25526b 13830->13831 13904 f2522f4 13905 f252349 13904->13905 13906 f25249f 13905->13906 13908 f24e8f2 NtProtectVirtualMemory 13905->13908 13907 f24e8f2 NtProtectVirtualMemory 13906->13907 13911 f2524c3 13906->13911 13907->13911 13909 f252480 13908->13909 13910 f24e8f2 NtProtectVirtualMemory 13909->13910 13910->13906 13912 f24e8f2 NtProtectVirtualMemory 13911->13912 13913 f252597 13911->13913 13912->13913 13914 f24e8f2 NtProtectVirtualMemory 13913->13914 13915 f2525bf 13913->13915 13914->13915 13918 f24e8f2 NtProtectVirtualMemory 13915->13918 13919 f2526b9 13915->13919 13916 f2526e1 13917 f255382 ObtainUserAgentString 13916->13917 13920 f2526e9 13917->13920 13918->13919 13919->13916 13921 f24e8f2 NtProtectVirtualMemory 13919->13921 13921->13916 13787 f25b9f1 13788 f25b9f7 13787->13788 13791 f250852 13788->13791 13790 f25ba0f 13792 f250865 13791->13792 13793 f2508e4 13791->13793 13792->13793 13795 f250887 13792->13795 13797 f25087e 13792->13797 13793->13790 13794 f25636f 13794->13790 13795->13793 13799 f254662 13795->13799 13797->13794 13798 f2560c2 2 API calls 13797->13798 13798->13794 13800 f25466b 13799->13800 13808 f2547ba 13799->13808 13801 f24e0f2 2 API calls 13800->13801 13800->13808 13803 f2546ee 13801->13803 13802 f254750 13805 f25483f 13802->13805 13806 f254791 13802->13806 13802->13808 13803->13802 13804 f259f82 2 API calls 13803->13804 13804->13802 13807 f259f82 2 API calls 13805->13807 13805->13808 13806->13808 13809 f259f82 2 API calls 13806->13809 13807->13808 13808->13793 13809->13808 13810 f24f5f1 13811 f24f606 13810->13811 13812 f24f60e 13810->13812 13813 f254662 2 API calls 13811->13813 13813->13812 13922 f24e0f1 13923 f24e109 13922->13923 13927 f24e1d3 13922->13927 13924 f24e012 2 API calls 13923->13924 13925 f24e113 13924->13925 13926 f259f82 2 API calls 13925->13926 13925->13927 13926->13927 13758 f25b9b3 13759 f25b9bd 13758->13759 13762 f2506d2 13759->13762 13761 f25b9e0 13763 f2506f7 13762->13763 13765 f250704 13762->13765 13764 f24e0f2 2 API calls 13763->13764 13766 f2506ff 13764->13766 13765->13766 13767 f25072d 13765->13767 13769 f250737 13765->13769 13766->13761 13771 f2562c2 13767->13771 13769->13766 13770 f259f82 2 API calls 13769->13770 13770->13766 13772 f2562df 13771->13772 13773 f2562cb 13771->13773 13772->13766 13773->13772 13775 f2560c2 13773->13775 13776 f2560cb 13775->13776 13778 f2561f0 13775->13778 13777 f259f82 2 API calls 13776->13777 13776->13778 13777->13778 13778->13772 13492 f259232 13493 f25925c 13492->13493 13495 f259334 13492->13495 13494 f259410 NtCreateFile 13493->13494 13493->13495 13494->13495 13779 f251fbf 13781 f252016 13779->13781 13780 f2520f0 13781->13780 13784 f24e8f2 NtProtectVirtualMemory 13781->13784 13785 f2520bb 13781->13785 13782 f2520e8 13783 f255382 ObtainUserAgentString 13782->13783 13783->13780 13784->13785 13785->13782 13786 f24e8f2 NtProtectVirtualMemory 13785->13786 13786->13782 13870 f2548be 13871 f2548c3 13870->13871 13872 f2549a6 13871->13872 13873 f254995 ObtainUserAgentString 13871->13873 13873->13872 13874 f2560b9 13875 f2560ed 13874->13875 13877 f2561f0 13874->13877 13876 f259f82 2 API calls 13875->13876 13875->13877 13876->13877 13928 f2520fb 13930 f252137 13928->13930 13929 f2522d5 13930->13929 13931 f24e8f2 NtProtectVirtualMemory 13930->13931 13932 f25228a 13931->13932 13933 f24e8f2 NtProtectVirtualMemory 13932->13933 13936 f2522a9 13933->13936 13934 f2522cd 13935 f255382 ObtainUserAgentString 13934->13935 13935->13929 13936->13934 13937 f24e8f2 NtProtectVirtualMemory 13936->13937 13937->13934 13736 f259f7a 13737 f259fb8 13736->13737 13738 f2565b2 socket 13737->13738 13739 f25a081 13737->13739 13741 f25a022 13737->13741 13738->13739 13740 f25a117 getaddrinfo 13739->13740 13739->13741 13740->13741 13832 f25883a 13833 f258841 13832->13833 13834 f259f82 2 API calls 13833->13834 13836 f2588c5 13834->13836 13835 f258906 13836->13835 13837 f259232 NtCreateFile 13836->13837 13837->13835 13483 f259f82 13484 f259fb8 13483->13484 13486 f25a081 13484->13486 13488 f25a022 13484->13488 13489 f2565b2 13484->13489 13487 f25a117 getaddrinfo 13486->13487 13486->13488 13487->13488 13490 f2565ec 13489->13490 13491 f25660a socket 13489->13491 13490->13491 13491->13486 13854 f25ba4d 13855 f25ba53 13854->13855 13858 f24f782 13855->13858 13857 f25ba6b 13859 f24f78f 13858->13859 13860 f24f7ad 13859->13860 13861 f254662 2 API calls 13859->13861 13860->13857 13861->13860 13742 f25314a 13743 f253153 13742->13743 13748 f253174 13742->13748 13745 f255382 ObtainUserAgentString 13743->13745 13744 f2531e7 13746 f25316c 13745->13746 13747 f24e0f2 2 API calls 13746->13747 13747->13748 13748->13744 13750 f24e1f2 13748->13750 13751 f24e2c9 13750->13751 13752 f24e20f 13750->13752 13751->13748 13753 f258f12 3 API calls 13752->13753 13755 f24e242 13752->13755 13753->13755 13754 f24e289 13754->13751 13757 f24e0f2 2 API calls 13754->13757 13755->13754 13756 f24f432 NtCreateFile 13755->13756 13756->13754 13757->13751 13838 f25ae0a 13839 f259942 13838->13839 13840 f25ae45 NtProtectVirtualMemory 13839->13840 13841 f25ae70 13840->13841 13938 f253cd4 13940 f253cd8 13938->13940 13939 f254022 13940->13939 13941 f253352 NtCreateFile 13940->13941 13942 f253f0d 13941->13942 13942->13939 13943 f253792 NtCreateFile 13942->13943 13943->13942 13496 f25ae12 13497 f25ae45 NtProtectVirtualMemory 13496->13497 13500 f259942 13496->13500 13499 f25ae70 13497->13499 13501 f259967 13500->13501 13501->13497 13842 f24f613 13844 f24f620 13842->13844 13843 f24f67e 13844->13843 13845 f25ae12 NtProtectVirtualMemory 13844->13845 13845->13844 13944 f251edd 13946 f251f06 13944->13946 13945 f251fa4 13946->13945 13947 f24e8f2 NtProtectVirtualMemory 13946->13947 13948 f251f9c 13947->13948 13949 f255382 ObtainUserAgentString 13948->13949 13949->13945 13652 f24e2dd 13655 f24e31a 13652->13655 13653 f24e3fa 13654 f24e328 SleepEx 13654->13654 13654->13655 13655->13653 13655->13654 13659 f258f12 13655->13659 13668 f24f432 13655->13668 13678 f24e0f2 13655->13678 13661 f258f48 13659->13661 13660 f259134 13660->13655 13661->13660 13662 f2590e9 13661->13662 13666 f259232 NtCreateFile 13661->13666 13684 f259f82 13661->13684 13663 f259125 13662->13663 13690 f258842 13662->13690 13698 f258922 13663->13698 13666->13661 13669 f24f45b 13668->13669 13677 f24f4c9 13668->13677 13670 f259232 NtCreateFile 13669->13670 13669->13677 13671 f24f496 13670->13671 13672 f24f4c5 13671->13672 13710 f24f082 13671->13710 13673 f259232 NtCreateFile 13672->13673 13672->13677 13673->13677 13675 f24f4b6 13675->13672 13719 f24ef52 13675->13719 13677->13655 13679 f24e1d3 13678->13679 13680 f24e109 13678->13680 13679->13655 13724 f24e012 13680->13724 13682 f24e113 13682->13679 13683 f259f82 2 API calls 13682->13683 13683->13679 13685 f259fb8 13684->13685 13686 f2565b2 socket 13685->13686 13687 f25a081 13685->13687 13689 f25a022 13685->13689 13686->13687 13688 f25a117 getaddrinfo 13687->13688 13687->13689 13688->13689 13689->13661 13691 f25886d 13690->13691 13706 f259232 13691->13706 13693 f258906 13693->13662 13694 f258888 13694->13693 13695 f259f82 2 API calls 13694->13695 13696 f2588c5 13694->13696 13695->13696 13696->13693 13697 f259232 NtCreateFile 13696->13697 13697->13693 13699 f2589c2 13698->13699 13700 f259232 NtCreateFile 13699->13700 13702 f2589d6 13700->13702 13701 f258a9f 13701->13660 13702->13701 13703 f258a5d 13702->13703 13705 f259f82 2 API calls 13702->13705 13703->13701 13704 f259232 NtCreateFile 13703->13704 13704->13701 13705->13703 13707 f25925c 13706->13707 13709 f259334 13706->13709 13708 f259410 NtCreateFile 13707->13708 13707->13709 13708->13709 13709->13694 13711 f24f420 13710->13711 13712 f24f0aa 13710->13712 13711->13675 13712->13711 13713 f259232 NtCreateFile 13712->13713 13714 f24f1f9 13713->13714 13715 f259232 NtCreateFile 13714->13715 13718 f24f3df 13714->13718 13716 f24f3c9 13715->13716 13717 f259232 NtCreateFile 13716->13717 13717->13718 13718->13675 13720 f24ef84 13719->13720 13721 f24ef70 13719->13721 13722 f259232 NtCreateFile 13720->13722 13721->13672 13723 f24f046 13722->13723 13723->13672 13726 f24e031 13724->13726 13725 f24e0cd 13725->13682 13726->13725 13727 f259f82 2 API calls 13726->13727 13727->13725 13846 f25ba1f 13847 f25ba25 13846->13847 13850 f24f5f2 13847->13850 13849 f25ba3d 13851 f24f60e 13850->13851 13852 f24f5fb 13850->13852 13851->13849 13852->13851 13853 f254662 2 API calls 13852->13853 13853->13851 13814 f251dd9 13816 f251df0 13814->13816 13815 f251ecd 13816->13815 13817 f255382 ObtainUserAgentString 13816->13817 13817->13815

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 295 f259232-f259256 296 f2598bd-f2598cd 295->296 297 f25925c-f259260 295->297 297->296 298 f259266-f2592a0 297->298 299 f2592a2-f2592a6 298->299 300 f2592bf 298->300 299->300 301 f2592a8-f2592ac 299->301 302 f2592c6 300->302 303 f2592b4-f2592b8 301->303 304 f2592ae-f2592b2 301->304 305 f2592cb-f2592cf 302->305 303->305 306 f2592ba-f2592bd 303->306 304->302 307 f2592d1-f2592f7 call f259942 305->307 308 f2592f9-f25930b 305->308 306->305 307->308 312 f259378 307->312 308->312 313 f25930d-f259332 308->313 316 f25937a-f2593a0 312->316 314 f259334-f25933b 313->314 315 f2593a1-f2593a8 313->315 317 f259366-f259370 314->317 318 f25933d-f259360 call f259942 314->318 319 f2593d5-f2593dc 315->319 320 f2593aa-f2593d3 call f259942 315->320 317->312 325 f259372-f259373 317->325 318->317 322 f259410-f259458 NtCreateFile call f259172 319->322 323 f2593de-f25940a call f259942 319->323 320->312 320->319 331 f25945d-f25945f 322->331 323->312 323->322 325->312 331->312 332 f259465-f25946d 331->332 332->312 333 f259473-f259476 332->333 334 f259486-f25948d 333->334 335 f259478-f259481 333->335 336 f2594c2-f2594ec 334->336 337 f25948f-f2594b8 call f259942 334->337 335->316 343 f2594f2-f2594f5 336->343 344 f2598ae-f2598b8 336->344 337->312 342 f2594be-f2594bf 337->342 342->336 345 f259604-f259611 343->345 346 f2594fb-f2594fe 343->346 344->312 345->316 347 f259500-f259507 346->347 348 f25955e-f259561 346->348 351 f259509-f259532 call f259942 347->351 352 f259538-f259559 347->352 353 f259567-f259572 348->353 354 f259616-f259619 348->354 351->312 351->352 358 f2595e9-f2595fa 352->358 359 f259574-f25959d call f259942 353->359 360 f2595a3-f2595a6 353->360 356 f25961f-f259626 354->356 357 f2596b8-f2596bb 354->357 366 f259657-f25966b call f25ae92 356->366 367 f259628-f259651 call f259942 356->367 363 f2596bd-f2596c4 357->363 364 f259739-f25973c 357->364 358->345 359->312 359->360 360->312 362 f2595ac-f2595b6 360->362 362->312 372 f2595bc-f2595e6 362->372 373 f2596f5-f259734 363->373 374 f2596c6-f2596ef call f259942 363->374 368 f2597c4-f2597c7 364->368 369 f259742-f259749 364->369 366->312 383 f259671-f2596b3 366->383 367->312 367->366 368->312 379 f2597cd-f2597d4 368->379 376 f25974b-f259774 call f259942 369->376 377 f25977a-f2597bf 369->377 372->358 393 f259894-f2598a9 373->393 374->344 374->373 376->344 376->377 377->393 384 f2597d6-f2597f6 call f259942 379->384 385 f2597fc-f259803 379->385 383->316 384->385 391 f259805-f259825 call f259942 385->391 392 f25982b-f259835 385->392 391->392 392->344 394 f259837-f25983e 392->394 393->316 394->344 398 f259840-f259886 394->398 398->393
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4516511425.000000000F210000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F210000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_f210000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID: `
                                                                                                                                                                            • API String ID: 823142352-2679148245
                                                                                                                                                                            • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                            • Instruction ID: e92e7fd37f6bcde91f78835bcf8492fdd8a804d2d3c2f7de6dd3150a9fd1c72e
                                                                                                                                                                            • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E224C70A28B0ADFCB59DF28C4986AEF7E1FB58701F80022ED45ED7251DB35A591CB81

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 434 f25ae12-f25ae38 435 f25ae45-f25ae6e NtProtectVirtualMemory 434->435 436 f25ae40 call f259942 434->436 437 f25ae70-f25ae7c 435->437 438 f25ae7d-f25ae8f 435->438 436->435
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtProtectVirtualMemory.NTDLL ref: 0F25AE67
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4516511425.000000000F210000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F210000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_f210000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProtectVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2706961497-0
                                                                                                                                                                            • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                            • Instruction ID: babbbf32f607ff137f734f8c631bcc4657d3b088a96321d4369e968e6b04f63c
                                                                                                                                                                            • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A019E30628B884F8B88EF6C948112AB7E4FBCA214F000B3EE99AC3250EB74C5414B42

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 439 f25ae0a-f25ae6e call f259942 NtProtectVirtualMemory 442 f25ae70-f25ae7c 439->442 443 f25ae7d-f25ae8f 439->443
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtProtectVirtualMemory.NTDLL ref: 0F25AE67
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4516511425.000000000F210000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F210000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_f210000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProtectVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2706961497-0
                                                                                                                                                                            • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                            • Instruction ID: cb16cdb5c5f0efe403cf665c22759232467d2f30c33748b5d814306ede80dd25
                                                                                                                                                                            • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                            • Instruction Fuzzy Hash: 4101A234628B884B8B48EB3C94412A6B3E5FBCE314F000B3EE99AC3241DB35D5024B82

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 f259f82-f259fb6 1 f259fd6-f259fd9 0->1 2 f259fb8-f259fbc 0->2 4 f259fdf-f259fed 1->4 5 f25a8fe-f25a90c 1->5 2->1 3 f259fbe-f259fc2 2->3 3->1 6 f259fc4-f259fc8 3->6 7 f25a8f6-f25a8f7 4->7 8 f259ff3-f259ff7 4->8 6->1 9 f259fca-f259fce 6->9 7->5 10 f259fff-f25a000 8->10 11 f259ff9-f259ffd 8->11 9->1 12 f259fd0-f259fd4 9->12 13 f25a00a-f25a010 10->13 11->10 11->13 12->1 12->4 14 f25a012-f25a020 13->14 15 f25a03a-f25a060 13->15 14->15 18 f25a022-f25a026 14->18 16 f25a062-f25a066 15->16 17 f25a068-f25a07c call f2565b2 15->17 16->17 19 f25a0a8-f25a0ab 16->19 22 f25a081-f25a0a2 17->22 18->7 21 f25a02c-f25a035 18->21 23 f25a144-f25a150 19->23 24 f25a0b1-f25a0b8 19->24 21->7 22->19 26 f25a8ee-f25a8ef 22->26 25 f25a156-f25a165 23->25 23->26 27 f25a0e2-f25a0f5 24->27 28 f25a0ba-f25a0dc call f259942 24->28 29 f25a167-f25a178 call f256552 25->29 30 f25a17f-f25a18f 25->30 26->7 27->26 32 f25a0fb-f25a101 27->32 28->27 29->30 34 f25a1e5-f25a21b 30->34 35 f25a191-f25a1da call f256732 30->35 32->26 37 f25a107-f25a109 32->37 41 f25a22d-f25a231 34->41 42 f25a21d-f25a22b 34->42 35->34 52 f25a1dc-f25a1e1 35->52 37->26 38 f25a10f-f25a111 37->38 38->26 45 f25a117-f25a132 getaddrinfo 38->45 43 f25a247-f25a24b 41->43 44 f25a233-f25a245 41->44 47 f25a27f-f25a280 42->47 48 f25a261-f25a265 43->48 49 f25a24d-f25a25f 43->49 44->47 45->23 50 f25a134-f25a13c 45->50 51 f25a283-f25a2e0 call f25ad62 call f257482 call f256e72 call f25b002 47->51 53 f25a267-f25a26b 48->53 54 f25a26d-f25a279 48->54 49->47 50->23 63 f25a2f4-f25a354 call f25ad92 51->63 64 f25a2e2-f25a2e6 51->64 52->34 53->51 53->54 54->47 69 f25a48c-f25a4b8 call f25ad62 call f25b262 63->69 70 f25a35a-f25a396 call f25ad62 call f25b262 call f25b002 63->70 64->63 65 f25a2e8-f25a2ef call f257042 64->65 65->63 79 f25a4d9-f25a590 call f25b262 * 3 call f25b002 * 2 call f257482 69->79 80 f25a4ba-f25a4d5 69->80 85 f25a398-f25a3b7 call f25b262 call f25b002 70->85 86 f25a3bb-f25a3e9 call f25b262 * 2 70->86 111 f25a595-f25a5b9 call f25b262 79->111 80->79 85->86 101 f25a415-f25a41d 86->101 102 f25a3eb-f25a410 call f25b002 call f25b262 86->102 105 f25a442-f25a448 101->105 106 f25a41f-f25a425 101->106 102->101 105->111 112 f25a44e-f25a456 105->112 109 f25a467-f25a487 call f25b262 106->109 110 f25a427-f25a43d 106->110 109->111 110->111 121 f25a5d1-f25a6ad call f25b262 * 7 call f25b002 call f25ad62 call f25b002 call f256e72 call f257042 111->121 122 f25a5bb-f25a5cc call f25b262 call f25b002 111->122 112->111 113 f25a45c-f25a45d 112->113 113->109 132 f25a6af-f25a6b3 121->132 122->132 135 f25a6b5-f25a6fa call f256382 call f2567b2 132->135 136 f25a6ff-f25a72d call f2566b2 132->136 152 f25a8e6-f25a8e7 135->152 143 f25a75d-f25a761 136->143 144 f25a72f-f25a735 136->144 149 f25a767-f25a76b 143->149 150 f25a90d-f25a913 143->150 144->143 148 f25a737-f25a74c 144->148 148->143 153 f25a74e-f25a754 148->153 154 f25a771-f25a773 149->154 155 f25a8aa-f25a8df call f2567b2 149->155 156 f25a779-f25a784 150->156 157 f25a919-f25a920 150->157 152->26 153->143 160 f25a756 153->160 154->155 154->156 155->152 161 f25a786-f25a793 156->161 162 f25a795-f25a796 156->162 157->161 160->143 161->162 165 f25a79c-f25a7a0 161->165 162->165 167 f25a7b1-f25a7b2 165->167 168 f25a7a2-f25a7af 165->168 170 f25a7b8-f25a7c4 167->170 168->167 168->170 173 f25a7f4-f25a861 170->173 174 f25a7c6-f25a7ef call f25ad92 call f25ad62 170->174 185 f25a8a3-f25a8a4 173->185 186 f25a863 173->186 174->173 185->155 186->185 188 f25a865-f25a86a 186->188 188->185 190 f25a86c-f25a872 188->190 190->185 192 f25a874-f25a8a1 190->192 192->185 192->186
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4516511425.000000000F210000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F210000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_f210000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: getaddrinfo
                                                                                                                                                                            • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                                            • API String ID: 300660673-1117930895
                                                                                                                                                                            • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                            • Instruction ID: d246e407f05ff86c6b3218aa17486fbe4668a1b916b38f0e93ed77cd4b93f4e5
                                                                                                                                                                            • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                            • Instruction Fuzzy Hash: B4526E30624B098FCB29EF68C4857E9B7E1FB54700F50462EC89BCB156DE78B94ACB51

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • ObtainUserAgentString.URLMON ref: 0F2549A0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4516511425.000000000F210000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F210000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_f210000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AgentObtainStringUser
                                                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                            • API String ID: 2681117516-319646191
                                                                                                                                                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                            • Instruction ID: 56027388ac6fff43c55b9bc1d211b37d0b5cf58687012774a4aaaf19a2e24e02
                                                                                                                                                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                            • Instruction Fuzzy Hash: DC31D131A24B0C8FCB04EFA8C8857EDB7E0FB58605F40422AD85ED7241DE789649C789

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • ObtainUserAgentString.URLMON ref: 0F2549A0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4516511425.000000000F210000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F210000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_f210000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AgentObtainStringUser
                                                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                            • API String ID: 2681117516-319646191
                                                                                                                                                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                            • Instruction ID: 304486e6ded7163d424ee224c49fecde04a366e6a1b9b2cf8e0b313ed686b387
                                                                                                                                                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D21D530A24B0D8BCB05EFA8C8557EDBBE0FF58704F40421AD85AD7241DF789645CB85

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 234 f250b66-f250b68 235 f250b93-f250bb8 234->235 236 f250b6a-f250b6b 234->236 237 f250bbb-f250bbc 235->237 238 f250b6d-f250b71 236->238 239 f250bbe-f250c22 call f257612 call f259942 * 2 236->239 237->239 238->237 240 f250b73-f250b92 238->240 248 f250cdc 239->248 249 f250c28-f250c2b 239->249 240->235 250 f250cde-f250cf6 248->250 249->248 251 f250c31-f250cb0 call f25bda4 call f25b022 call f25b3e2 call f25b022 call f25b3e2 249->251 263 f250cb5-f250cca CreateMutexExW 251->263 264 f250cce-f250cd3 263->264 264->248 265 f250cd5-f250cda 264->265 265->250
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4516511425.000000000F210000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F210000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_f210000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateMutex
                                                                                                                                                                            • String ID: .dll$el32$kern
                                                                                                                                                                            • API String ID: 1964310414-1222553051
                                                                                                                                                                            • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                            • Instruction ID: 11b09bb150af711695d17586a8332b45cd1a42eb59abb072545eac328b488ecd
                                                                                                                                                                            • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                            • Instruction Fuzzy Hash: B2415B70928A098FDB54EFA8C8D47ADB7E0FF98300F44457ACC4EDB256DA349945CB85

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4516511425.000000000F210000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F210000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_f210000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateMutex
                                                                                                                                                                            • String ID: .dll$el32$kern
                                                                                                                                                                            • API String ID: 1964310414-1222553051
                                                                                                                                                                            • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                            • Instruction ID: 2147eae90fd2a24a14ae359a247508232de252a91f475e3208cbe20cb0e8bd06
                                                                                                                                                                            • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                            • Instruction Fuzzy Hash: 8F412C70928A098FDB54EFA8C8987EDB7E0FF98301F44416ACC4EDB256DE349945CB85

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 403 f2565b2-f2565ea 404 f2565ec-f256604 call f259942 403->404 405 f25660a-f25662b socket 403->405 404->405
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4516511425.000000000F210000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F210000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_f210000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: socket
                                                                                                                                                                            • String ID: sock
                                                                                                                                                                            • API String ID: 98920635-2415254727
                                                                                                                                                                            • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                            • Instruction ID: df4ad06aef87cc97cc3e4ae606cb9ade0ec04b118266575923e2c9cf09560713
                                                                                                                                                                            • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                            • Instruction Fuzzy Hash: EE012C70618A188FCB84EF1CE048B54BBE0FB59314F1545AEE85ECB266C7B4C9818B86

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 408 f24e2dd-f24e320 call f259942 411 f24e326 408->411 412 f24e3fa-f24e40e 408->412 413 f24e328-f24e339 SleepEx 411->413 413->413 414 f24e33b-f24e341 413->414 415 f24e343-f24e349 414->415 416 f24e34b-f24e352 414->416 415->416 417 f24e35c-f24e36a call f258f12 415->417 418 f24e354-f24e35a 416->418 419 f24e370-f24e376 416->419 417->419 418->417 418->419 420 f24e3b7-f24e3bd 419->420 421 f24e378-f24e37e 419->421 424 f24e3d4-f24e3db 420->424 425 f24e3bf-f24e3cf call f24ee72 420->425 421->420 423 f24e380-f24e38a 421->423 423->420 427 f24e38c-f24e3b1 call f24f432 423->427 424->413 429 f24e3e1-f24e3f5 call f24e0f2 424->429 425->424 427->420 429->413
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4516511425.000000000F210000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F210000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_f210000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                            • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                            • Instruction ID: c2d235b8ff09f8d5e2d799d5a0e8972c166678bdc960de10bb6e240f1e631176
                                                                                                                                                                            • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                            • Instruction Fuzzy Hash: 98315C70624F49DEEB69AF6980482E5BBA1FB44300F85466EC95D8A107C7B8B050CF91

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 444 f24e412-f24e446 call f259942 447 f24e473-f24e47d 444->447 448 f24e448-f24e472 call f25bc9e CreateThread 444->448
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4516511425.000000000F210000.00000040.80000000.00040000.00000000.sdmp, Offset: 0F210000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_f210000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2422867632-0
                                                                                                                                                                            • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                            • Instruction ID: 44cd84e2b10853748fe2f0bcb48dda51a729051bd45051a688ed35e51800e5dc
                                                                                                                                                                            • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                            • Instruction Fuzzy Hash: EBF02230228F094FE788EB2CD44163AF3E0FBE9200F40063EA94DC3221CA38D5814706
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                                            • API String ID: 0-393284711
                                                                                                                                                                            • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                            • Instruction ID: 9241fd721ba2365f74dff231ea878760df6b03a6cf009dd61f31d3cf6a3f3a6f
                                                                                                                                                                            • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                            • Instruction Fuzzy Hash: C8E16C74628F488FCB64DF68C8957AAB7E1FB58300F504A2EA59FC7245DF30A541CB89
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                                            • API String ID: 0-2916316912
                                                                                                                                                                            • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                            • Instruction ID: 398120a00bd1e034c922f31fb9e5167f93f6495cc46cb98c6f886498281a2428
                                                                                                                                                                            • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                            • Instruction Fuzzy Hash: 3DB15A34518B488EDB59EF68C48AAEEB7F1FF98300F50451EE49AC7251EF70A505CB86
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                                            • API String ID: 0-1539916866
                                                                                                                                                                            • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                            • Instruction ID: 5644505cbd6af00fea9d8a7c7ff9a385dd814cf610cf1544e3f178fe9b460513
                                                                                                                                                                            • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                            • Instruction Fuzzy Hash: FF41B1B1B18B088FDB14DF88A4466BDBBE2FB48740F00426EE409D7345DBB5AD458BD6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                                            • API String ID: 0-355182820
                                                                                                                                                                            • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                            • Instruction ID: a7fa4dcabce3138b87640ef6478d93c3a4d8eaba5adcac836bfe0e171fbda565
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                            • Instruction Fuzzy Hash: D9C15B74228B098FC758EF64C496AEAF7E1FB94304F40462EA59AC7210DF70A615CBC6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                                            • API String ID: 0-97273177
                                                                                                                                                                            • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                            • Instruction ID: 6b35611def06bac7385aaada3ffd50ed2b0cca4f296e295850fc6448ebe197a3
                                                                                                                                                                            • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                            • Instruction Fuzzy Hash: 0251C2355287488FD709CF18D8916AAB7E5FB85700F501A2EF8DBC7241DBB4A906CB82
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                            • API String ID: 0-639201278
                                                                                                                                                                            • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                            • Instruction ID: 22648a6ba6accfd0dd6882bc5f1fe7110da7689c0d22e73959aa6a35273ea9e5
                                                                                                                                                                            • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                            • Instruction Fuzzy Hash: F6C17E74628B598FC758EF68D456AEAB3E1FB98300F414329A44AC7351DF30EA01CBC5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                            • API String ID: 0-639201278
                                                                                                                                                                            • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                            • Instruction ID: f32247ff4a8465fd823d9deb1544aee5f199684f9d9611ff467d85075a72c341
                                                                                                                                                                            • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                            • Instruction Fuzzy Hash: 6FC17D74628B598FC758EF68D496AEAB3E1FB98300F514329A44AC7351DF30EA01CBC5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                            • API String ID: 0-2058692283
                                                                                                                                                                            • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                            • Instruction ID: 020f6b8d04ca04cdd2d877e09f7367a9edd8f0218746d2a8c7d25a6c83e59c0c
                                                                                                                                                                            • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                            • Instruction Fuzzy Hash: 2CA19F706187488FDB19EFA8D445BEEBBE1FF88300F40462DE48AD7251EF7095468789
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                            • API String ID: 0-2058692283
                                                                                                                                                                            • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                            • Instruction ID: 6ab00e969fe839bb1b8786da872635a491e09976dfa747baa642c687f12b6d70
                                                                                                                                                                            • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                            • Instruction Fuzzy Hash: B7919E70A187488FDB18EFA8D445BEEB7E1FF88300F40462EE48AD7251EF7095468789
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $.$e$n$v
                                                                                                                                                                            • API String ID: 0-1849617553
                                                                                                                                                                            • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                            • Instruction ID: ba423e01e324ebbc681ef65350fb5d661ea09619ab359325b2e7dcb3617831d2
                                                                                                                                                                            • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                            • Instruction Fuzzy Hash: C371A2356187498FD759DF68D4857AAB7F1FF98304F00062EE48AC7261EF70E9458B81
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                                            • API String ID: 0-1970020201
                                                                                                                                                                            • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                            • Instruction ID: 2c501915ec6579f7db163a3b4a76e6847623e237dd2349d0c4549ac4f82ca8f0
                                                                                                                                                                            • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                            • Instruction Fuzzy Hash: 94514BB0918B4D8FDB55DFA4C045AEEB7F1FF58300F404A2EA59AE7214EF30A5418B89
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 4$\$dll$ion.$vers
                                                                                                                                                                            • API String ID: 0-1610437797
                                                                                                                                                                            • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                            • Instruction ID: b46a2fa2208d2a160614691dd529d62b4a1ccd1620bbc1527522b698807d6db7
                                                                                                                                                                            • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                            • Instruction Fuzzy Hash: 46418234229B8C8FCBA5EF6498457EA73E4FB98341F41462E988EC7350EF30E5458782
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                                            • API String ID: 0-327345718
                                                                                                                                                                            • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                            • Instruction ID: fd439ea921580d5b7d6ff76dbab7eb52fc61b537dc96ac3825eaa6b3855d8a4c
                                                                                                                                                                            • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A415C31A18F0D8FCB94EF6890967AE77E1FB68340F51856AA80ED7310DA71D940CBC6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .dll$el32$h$kern
                                                                                                                                                                            • API String ID: 0-4264704552
                                                                                                                                                                            • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                            • Instruction ID: 58f7ecef28c2ebfa79454fbad8fd64d793942c934e1cd4ba2198b9b00d01428e
                                                                                                                                                                            • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                            • Instruction Fuzzy Hash: 50418F70608B4D8FD7A9DF2994893AAB7E1FB98340F104B2E949EC3355DB70D945CB81
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $Snif$f fr$om:
                                                                                                                                                                            • API String ID: 0-3434893486
                                                                                                                                                                            • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                            • Instruction ID: 0328efdb0be4d11b7ed6623bc1e4955a599b9c979398baedd145e344f4775016
                                                                                                                                                                            • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                            • Instruction Fuzzy Hash: BB31E47551CB886FD71ADB28C485AEAB7D0FB94300F50491EE49BC7351EE30A54ACB43
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $Snif$f fr$om:
                                                                                                                                                                            • API String ID: 0-3434893486
                                                                                                                                                                            • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                            • Instruction ID: 3b5d59e950a9f4ed12265192b1356681e5517e0270b0845105a9686fddcb49a2
                                                                                                                                                                            • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                            • Instruction Fuzzy Hash: EF31F275508B486FD71ADB28C485AEAB7D4FB94300F40492EE4ABC3355EE30E50ACB43
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .dll$chro$hild$me_c
                                                                                                                                                                            • API String ID: 0-3136806129
                                                                                                                                                                            • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                            • Instruction ID: ffcf400ee21c81e1652ed7711478fe141f07b785d0531711e41d6d56bd398397
                                                                                                                                                                            • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                            • Instruction Fuzzy Hash: CA317C74118B488FC784EF688495BAAB7E1FB98300F80062DA44ECB315DF30E905C792
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .dll$chro$hild$me_c
                                                                                                                                                                            • API String ID: 0-3136806129
                                                                                                                                                                            • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                            • Instruction ID: d0806b4e235e60eb3d2822896d6609097e58bf4cbe39e232eb9d2d30e81a246e
                                                                                                                                                                            • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                            • Instruction Fuzzy Hash: 34316B74218B488FC784EF688495BAAB7E1FF98300F84462DA44ACB355DF30E905CB96
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                            • API String ID: 0-319646191
                                                                                                                                                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                            • Instruction ID: 4271456a7cad71dbb1ddd8677aa2fc1fb5a23f8c35a5cb708e1984829ee2eb4d
                                                                                                                                                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                            • Instruction Fuzzy Hash: AE31DF31614B4D8BCB45EFA8C8857EEBBE1FB98205F40022AE45ED7340DF789645C789
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                            • API String ID: 0-319646191
                                                                                                                                                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                            • Instruction ID: 5573094693d3790a00a42998e69d7cdb06a134e23a1773863a4e277bb5c9a942
                                                                                                                                                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D21D070A10B4D8BCB05EFA8C8957EEBBE1FF58205F40422AE45AD7344DF749605CB89
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .$l$l$t
                                                                                                                                                                            • API String ID: 0-168566397
                                                                                                                                                                            • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                            • Instruction ID: 5b36b41f4b6c899a325ab5c5a2734fba47b4aea62e87139ad3c0dc5ec3653d55
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                            • Instruction Fuzzy Hash: 94214878A24B0D9BDB48EFA8D045BE9BBF1FB58304F50462EE049D3700DB74A5518B84
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .$l$l$t
                                                                                                                                                                            • API String ID: 0-168566397
                                                                                                                                                                            • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                            • Instruction ID: c4b9941504c9855cd7d9f4b70b673ad63593e34db7f36cd489dbee0ffb543d4c
                                                                                                                                                                            • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                            • Instruction Fuzzy Hash: 86215C74A24B0D9FDB48EFA8D0457ADBAF1FB58304F50462EE049D3710DB74A551CB84
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000004.00000002.4517597366.00000000109D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 109D0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_4_2_109d0000_explorer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: auth$logi$pass$user
                                                                                                                                                                            • API String ID: 0-2393853802
                                                                                                                                                                            • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                            • Instruction ID: e7eea00ba75c08e7f8bda01d3a6a5dda338814f99cd6ecd95ad67bdcefd4fbde
                                                                                                                                                                            • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                            • Instruction Fuzzy Hash: 1921CA30614B0D8BCB45DF9998916EEB7F1EF88344F00461AE40AEB344DBB0E9148BC2

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:1.7%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:6.8%
                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                            Total number of Nodes:620
                                                                                                                                                                            Total number of Limit Nodes:70
                                                                                                                                                                            execution_graph 111675 2fef09d 111678 2feb990 111675->111678 111679 2feb9b6 111678->111679 111686 2fd9d30 111679->111686 111681 2feb9c2 111682 2feb9e6 111681->111682 111694 2fd8f30 111681->111694 111732 2fea670 111682->111732 111735 2fd9c80 111686->111735 111688 2fd9d3d 111689 2fd9d44 111688->111689 111747 2fd9c20 111688->111747 111689->111681 111695 2fd8f57 111694->111695 112164 2fdb1b0 111695->112164 111697 2fd8f69 112168 2fdaf00 111697->112168 111699 2fd8f86 111706 2fd8f8d 111699->111706 112239 2fdae30 LdrLoadDll 111699->112239 111702 2fd8ffc 112184 2fdf400 111702->112184 111704 2fd9006 111705 2febf50 2 API calls 111704->111705 111728 2fd90f2 111704->111728 111707 2fd902a 111705->111707 111706->111728 112172 2fdf370 111706->112172 111708 2febf50 2 API calls 111707->111708 111709 2fd903b 111708->111709 111710 2febf50 2 API calls 111709->111710 111711 2fd904c 111710->111711 112196 2fdca80 111711->112196 111713 2fd9059 111714 2fe4a40 8 API calls 111713->111714 111715 2fd9066 111714->111715 111716 2fe4a40 8 API calls 111715->111716 111717 2fd9077 111716->111717 111718 2fd90a5 111717->111718 111719 2fd9084 111717->111719 111721 2fe4a40 8 API calls 111718->111721 112206 2fdd610 111719->112206 111725 2fd90c1 111721->111725 111724 2fd90e9 111726 2fd8d00 23 API calls 111724->111726 111725->111724 112240 2fdd6b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 111725->112240 111726->111728 111727 2fd9092 112222 2fd8d00 111727->112222 111728->111682 111733 2feaf20 LdrLoadDll 111732->111733 111734 2fea68f 111733->111734 111766 2fe8b80 111735->111766 111739 2fd9ca6 111739->111688 111740 2fd9c9c 111740->111739 111773 2feb270 111740->111773 111742 2fd9ce3 111742->111739 111784 2fd9aa0 111742->111784 111744 2fd9d03 111790 2fd9620 LdrLoadDll 111744->111790 111746 2fd9d15 111746->111688 111748 2fd9c3a 111747->111748 111749 2feb560 LdrLoadDll 111747->111749 112139 2feb560 111748->112139 111749->111748 111752 2feb560 LdrLoadDll 111753 2fd9c61 111752->111753 111754 2fdf170 111753->111754 111755 2fdf189 111754->111755 112147 2fdb030 111755->112147 111757 2fdf19c 112151 2fea1a0 111757->112151 111761 2fdf1c2 111762 2fdf1ed 111761->111762 112157 2fea220 111761->112157 111764 2fea450 2 API calls 111762->111764 111765 2fd9d55 111764->111765 111765->111681 111767 2fe8b8f 111766->111767 111791 2fe4e40 111767->111791 111769 2fd9c93 111770 2fe8a30 111769->111770 111797 2fea5c0 111770->111797 111774 2feb289 111773->111774 111804 2fe4a40 111774->111804 111776 2feb2a1 111777 2feb2aa 111776->111777 111843 2feb0b0 111776->111843 111777->111742 111779 2feb2be 111779->111777 111861 2fe9ec0 111779->111861 112117 2fd7ea0 111784->112117 111786 2fd9ac1 111786->111744 111787 2fd9aba 111787->111786 112130 2fd8160 111787->112130 111790->111746 111792 2fe4e5a 111791->111792 111793 2fe4e4e 111791->111793 111792->111769 111793->111792 111796 2fe52c0 LdrLoadDll 111793->111796 111795 2fe4fac 111795->111769 111796->111795 111800 2feaf20 111797->111800 111799 2fe8a45 111799->111740 111801 2feaf30 111800->111801 111803 2feaf52 111800->111803 111802 2fe4e40 LdrLoadDll 111801->111802 111802->111803 111803->111799 111805 2fe4d75 111804->111805 111815 2fe4a54 111804->111815 111805->111776 111808 2fe4b63 111929 2fea420 LdrLoadDll 111808->111929 111809 2fe4b80 111872 2fea320 111809->111872 111812 2fe4ba7 111814 2febd80 2 API calls 111812->111814 111813 2fe4b6d 111813->111776 111818 2fe4bb3 111814->111818 111815->111805 111869 2fe9c10 111815->111869 111816 2fe4d39 111819 2fea450 2 API calls 111816->111819 111817 2fe4d4f 111938 2fe4780 LdrLoadDll NtReadFile NtClose 111817->111938 111818->111813 111818->111816 111818->111817 111823 2fe4c42 111818->111823 111821 2fe4d40 111819->111821 111821->111776 111822 2fe4d62 111822->111776 111824 2fe4ca9 111823->111824 111826 2fe4c51 111823->111826 111824->111816 111825 2fe4cbc 111824->111825 111931 2fea2a0 111825->111931 111828 2fe4c6a 111826->111828 111829 2fe4c56 111826->111829 111832 2fe4c6f 111828->111832 111833 2fe4c87 111828->111833 111930 2fe4640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 111829->111930 111875 2fe46e0 111832->111875 111833->111821 111887 2fe4400 111833->111887 111835 2fe4c60 111835->111776 111838 2fe4d1c 111935 2fea450 111838->111935 111839 2fe4c7d 111839->111776 111840 2fe4c9f 111840->111776 111842 2fe4d28 111842->111776 111844 2feb0c1 111843->111844 111845 2feb0d3 111844->111845 111956 2febd00 111844->111956 111845->111779 111847 2feb0f4 111959 2fe4060 111847->111959 111849 2feb140 111849->111779 111850 2feb117 111850->111849 111851 2fe4060 3 API calls 111850->111851 111854 2feb139 111851->111854 111853 2feb1ca 111855 2feb1da 111853->111855 112085 2feaec0 LdrLoadDll 111853->112085 111854->111849 111991 2fe5380 111854->111991 112001 2fead30 111855->112001 111858 2feb208 112080 2fe9e80 111858->112080 111862 2feaf20 LdrLoadDll 111861->111862 111863 2fe9edc 111862->111863 112111 5532c0a 111863->112111 111864 2fe9ef7 111866 2febd80 111864->111866 112114 2fea630 111866->112114 111868 2feb319 111868->111742 111870 2feaf20 LdrLoadDll 111869->111870 111871 2fe4b34 111870->111871 111871->111808 111871->111809 111871->111813 111873 2feaf20 LdrLoadDll 111872->111873 111874 2fea33c NtCreateFile 111873->111874 111874->111812 111876 2fe46fc 111875->111876 111877 2fea2a0 LdrLoadDll 111876->111877 111878 2fe471d 111877->111878 111879 2fe4738 111878->111879 111880 2fe4724 111878->111880 111882 2fea450 2 API calls 111879->111882 111881 2fea450 2 API calls 111880->111881 111883 2fe472d 111881->111883 111884 2fe4741 111882->111884 111883->111839 111939 2febf90 LdrLoadDll RtlAllocateHeap 111884->111939 111886 2fe474c 111886->111839 111888 2fe447e 111887->111888 111889 2fe444b 111887->111889 111891 2fe45c9 111888->111891 111894 2fe449a 111888->111894 111890 2fea2a0 LdrLoadDll 111889->111890 111892 2fe4466 111890->111892 111893 2fea2a0 LdrLoadDll 111891->111893 111895 2fea450 2 API calls 111892->111895 111899 2fe45e4 111893->111899 111896 2fea2a0 LdrLoadDll 111894->111896 111897 2fe446f 111895->111897 111898 2fe44b5 111896->111898 111897->111840 111901 2fe44bc 111898->111901 111902 2fe44d1 111898->111902 111952 2fea2e0 LdrLoadDll 111899->111952 111904 2fea450 2 API calls 111901->111904 111905 2fe44d6 111902->111905 111912 2fe44ec 111902->111912 111903 2fe461e 111906 2fea450 2 API calls 111903->111906 111907 2fe44c5 111904->111907 111908 2fea450 2 API calls 111905->111908 111909 2fe4629 111906->111909 111907->111840 111910 2fe44df 111908->111910 111909->111840 111910->111840 111911 2fe44f1 111923 2fe4503 111911->111923 111943 2fea3d0 111911->111943 111912->111911 111940 2febf50 111912->111940 111915 2fe4557 111916 2fe456e 111915->111916 111951 2fea260 LdrLoadDll 111915->111951 111918 2fe458a 111916->111918 111919 2fe4575 111916->111919 111920 2fea450 2 API calls 111918->111920 111921 2fea450 2 API calls 111919->111921 111922 2fe4593 111920->111922 111921->111923 111924 2fe45bf 111922->111924 111946 2febb50 111922->111946 111923->111840 111924->111840 111926 2fe45aa 111927 2febd80 2 API calls 111926->111927 111928 2fe45b3 111927->111928 111928->111840 111929->111813 111930->111835 111932 2feaf20 LdrLoadDll 111931->111932 111933 2fe4d04 111932->111933 111934 2fea2e0 LdrLoadDll 111933->111934 111934->111838 111936 2feaf20 LdrLoadDll 111935->111936 111937 2fea46c NtClose 111936->111937 111937->111842 111938->111822 111939->111886 111953 2fea5f0 111940->111953 111942 2febf68 111942->111911 111944 2feaf20 LdrLoadDll 111943->111944 111945 2fea3ec NtReadFile 111944->111945 111945->111915 111947 2febb5d 111946->111947 111948 2febb74 111946->111948 111947->111948 111949 2febf50 2 API calls 111947->111949 111948->111926 111950 2febb8b 111949->111950 111950->111926 111951->111916 111952->111903 111954 2feaf20 LdrLoadDll 111953->111954 111955 2fea60c RtlAllocateHeap 111954->111955 111955->111942 112086 2fea500 111956->112086 111958 2febd2d 111958->111847 111960 2fe4071 111959->111960 111961 2fe4079 111959->111961 111960->111850 111962 2fe434c 111961->111962 112089 2fecef0 111961->112089 111962->111850 111964 2fe40cd 111965 2fecef0 2 API calls 111964->111965 111969 2fe40d8 111965->111969 111966 2fe4126 111968 2fecef0 2 API calls 111966->111968 111972 2fe413a 111968->111972 111969->111966 112097 2fecf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 111969->112097 112098 2fed020 111969->112098 111971 2fe4197 111973 2fecef0 2 API calls 111971->111973 111972->111971 111975 2fed020 3 API calls 111972->111975 111974 2fe41ad 111973->111974 111976 2fe41ea 111974->111976 111978 2fed020 3 API calls 111974->111978 111975->111972 111977 2fecef0 2 API calls 111976->111977 111979 2fe41f5 111977->111979 111978->111974 111980 2fed020 3 API calls 111979->111980 111987 2fe422f 111979->111987 111980->111979 111983 2fecf50 2 API calls 111984 2fe432e 111983->111984 111985 2fecf50 2 API calls 111984->111985 111986 2fe4338 111985->111986 111988 2fecf50 2 API calls 111986->111988 112094 2fecf50 111987->112094 111989 2fe4342 111988->111989 111990 2fecf50 2 API calls 111989->111990 111990->111962 111992 2fe5391 111991->111992 111993 2fe4a40 8 API calls 111992->111993 111994 2fe53a7 111993->111994 111995 2fe53f5 111994->111995 111996 2fe53e2 111994->111996 111999 2fe53fa 111994->111999 111997 2febd80 2 API calls 111995->111997 111998 2febd80 2 API calls 111996->111998 111997->111999 112000 2fe53e7 111998->112000 111999->111853 112000->111853 112104 2feabf0 112001->112104 112004 2feabf0 LdrLoadDll 112005 2fead4d 112004->112005 112006 2feabf0 LdrLoadDll 112005->112006 112007 2fead56 112006->112007 112008 2feabf0 LdrLoadDll 112007->112008 112009 2fead5f 112008->112009 112010 2feabf0 LdrLoadDll 112009->112010 112011 2fead68 112010->112011 112012 2feabf0 LdrLoadDll 112011->112012 112013 2fead71 112012->112013 112014 2feabf0 LdrLoadDll 112013->112014 112015 2fead7d 112014->112015 112016 2feabf0 LdrLoadDll 112015->112016 112017 2fead86 112016->112017 112018 2feabf0 LdrLoadDll 112017->112018 112019 2fead8f 112018->112019 112020 2feabf0 LdrLoadDll 112019->112020 112021 2fead98 112020->112021 112022 2feabf0 LdrLoadDll 112021->112022 112023 2feada1 112022->112023 112024 2feabf0 LdrLoadDll 112023->112024 112025 2feadaa 112024->112025 112026 2feabf0 LdrLoadDll 112025->112026 112027 2feadb6 112026->112027 112028 2feabf0 LdrLoadDll 112027->112028 112029 2feadbf 112028->112029 112030 2feabf0 LdrLoadDll 112029->112030 112031 2feadc8 112030->112031 112032 2feabf0 LdrLoadDll 112031->112032 112033 2feadd1 112032->112033 112034 2feabf0 LdrLoadDll 112033->112034 112035 2feadda 112034->112035 112036 2feabf0 LdrLoadDll 112035->112036 112037 2feade3 112036->112037 112038 2feabf0 LdrLoadDll 112037->112038 112039 2feadef 112038->112039 112040 2feabf0 LdrLoadDll 112039->112040 112041 2feadf8 112040->112041 112042 2feabf0 LdrLoadDll 112041->112042 112043 2feae01 112042->112043 112044 2feabf0 LdrLoadDll 112043->112044 112045 2feae0a 112044->112045 112046 2feabf0 LdrLoadDll 112045->112046 112047 2feae13 112046->112047 112048 2feabf0 LdrLoadDll 112047->112048 112049 2feae1c 112048->112049 112050 2feabf0 LdrLoadDll 112049->112050 112051 2feae28 112050->112051 112052 2feabf0 LdrLoadDll 112051->112052 112053 2feae31 112052->112053 112054 2feabf0 LdrLoadDll 112053->112054 112055 2feae3a 112054->112055 112056 2feabf0 LdrLoadDll 112055->112056 112057 2feae43 112056->112057 112058 2feabf0 LdrLoadDll 112057->112058 112059 2feae4c 112058->112059 112060 2feabf0 LdrLoadDll 112059->112060 112061 2feae55 112060->112061 112062 2feabf0 LdrLoadDll 112061->112062 112063 2feae61 112062->112063 112064 2feabf0 LdrLoadDll 112063->112064 112065 2feae6a 112064->112065 112066 2feabf0 LdrLoadDll 112065->112066 112067 2feae73 112066->112067 112068 2feabf0 LdrLoadDll 112067->112068 112069 2feae7c 112068->112069 112070 2feabf0 LdrLoadDll 112069->112070 112071 2feae85 112070->112071 112072 2feabf0 LdrLoadDll 112071->112072 112073 2feae8e 112072->112073 112074 2feabf0 LdrLoadDll 112073->112074 112075 2feae9a 112074->112075 112076 2feabf0 LdrLoadDll 112075->112076 112077 2feaea3 112076->112077 112078 2feabf0 LdrLoadDll 112077->112078 112079 2feaeac 112078->112079 112079->111858 112081 2feaf20 LdrLoadDll 112080->112081 112082 2fe9e9c 112081->112082 112110 5532df0 LdrInitializeThunk 112082->112110 112083 2fe9eb3 112083->111779 112085->111855 112087 2fea51c NtAllocateVirtualMemory 112086->112087 112088 2feaf20 LdrLoadDll 112086->112088 112087->111958 112088->112087 112090 2fecf06 112089->112090 112091 2fecf00 112089->112091 112092 2febf50 2 API calls 112090->112092 112091->111964 112093 2fecf2c 112092->112093 112093->111964 112095 2febd80 2 API calls 112094->112095 112096 2fe4324 112095->112096 112096->111983 112097->111969 112099 2fecf90 112098->112099 112100 2fecfed 112099->112100 112101 2febf50 2 API calls 112099->112101 112100->111969 112102 2fecfca 112101->112102 112103 2febd80 2 API calls 112102->112103 112103->112100 112105 2feac0b 112104->112105 112106 2fe4e40 LdrLoadDll 112105->112106 112107 2feac2b 112106->112107 112108 2fe4e40 LdrLoadDll 112107->112108 112109 2feacd7 112107->112109 112108->112109 112109->112004 112110->112083 112112 5532c11 112111->112112 112113 5532c1f LdrInitializeThunk 112111->112113 112112->111864 112113->111864 112115 2feaf20 LdrLoadDll 112114->112115 112116 2fea64c RtlFreeHeap 112115->112116 112116->111868 112118 2fd7eab 112117->112118 112119 2fd7eb0 112117->112119 112118->111787 112120 2febd00 2 API calls 112119->112120 112124 2fd7ed5 112120->112124 112121 2fd7f38 112121->111787 112122 2fe9e80 2 API calls 112122->112124 112123 2fd7f3e 112125 2fd7f64 112123->112125 112127 2fea580 2 API calls 112123->112127 112124->112121 112124->112122 112124->112123 112128 2febd00 2 API calls 112124->112128 112133 2fea580 112124->112133 112125->111787 112129 2fd7f55 112127->112129 112128->112124 112129->111787 112131 2fea580 2 API calls 112130->112131 112132 2fd817e 112131->112132 112132->111744 112134 2feaf20 LdrLoadDll 112133->112134 112135 2fea59c 112134->112135 112138 5532c70 LdrInitializeThunk 112135->112138 112136 2fea5b3 112136->112124 112138->112136 112140 2feb583 112139->112140 112143 2fdace0 112140->112143 112144 2fdad04 112143->112144 112145 2fd9c4b 112144->112145 112146 2fdad40 LdrLoadDll 112144->112146 112145->111752 112146->112145 112149 2fdb053 112147->112149 112148 2fdb0d0 112148->111757 112149->112148 112162 2fe9c50 LdrLoadDll 112149->112162 112152 2feaf20 LdrLoadDll 112151->112152 112153 2fdf1ab 112152->112153 112153->111765 112154 2fea790 112153->112154 112155 2feaf20 LdrLoadDll 112154->112155 112156 2fea7af LookupPrivilegeValueW 112155->112156 112156->111761 112158 2feaf20 LdrLoadDll 112157->112158 112159 2fea23c 112158->112159 112163 5532ea0 LdrInitializeThunk 112159->112163 112160 2fea25b 112160->111762 112162->112148 112163->112160 112165 2fdb1b9 112164->112165 112166 2fdb030 LdrLoadDll 112165->112166 112167 2fdb1f4 112166->112167 112167->111697 112169 2fdaf24 112168->112169 112241 2fe9c50 LdrLoadDll 112169->112241 112171 2fdaf5e 112171->111699 112173 2fdf39c 112172->112173 112174 2fdb1b0 LdrLoadDll 112173->112174 112175 2fdf3ae 112174->112175 112242 2fdf280 112175->112242 112178 2fdf3c9 112181 2fdf3d4 112178->112181 112182 2fea450 2 API calls 112178->112182 112179 2fdf3e1 112180 2fdf3f2 112179->112180 112183 2fea450 2 API calls 112179->112183 112180->111702 112181->111702 112182->112181 112183->112180 112185 2fdf42c 112184->112185 112261 2fdb2a0 112185->112261 112187 2fdf43e 112188 2fdf280 3 API calls 112187->112188 112189 2fdf44f 112188->112189 112190 2fdf459 112189->112190 112191 2fdf471 112189->112191 112193 2fdf464 112190->112193 112194 2fea450 2 API calls 112190->112194 112192 2fdf482 112191->112192 112195 2fea450 2 API calls 112191->112195 112192->111704 112193->111704 112194->112193 112195->112192 112197 2fdca96 112196->112197 112198 2fdcaa0 112196->112198 112197->111713 112199 2fdaf00 LdrLoadDll 112198->112199 112200 2fdcb3e 112199->112200 112201 2fdcb64 112200->112201 112202 2fdb030 LdrLoadDll 112200->112202 112201->111713 112203 2fdcb80 112202->112203 112204 2fe4a40 8 API calls 112203->112204 112205 2fdcbd5 112204->112205 112205->111713 112207 2fdd636 112206->112207 112208 2fdb030 LdrLoadDll 112207->112208 112209 2fdd64a 112208->112209 112265 2fdd300 112209->112265 112211 2fd908b 112212 2fdcbf0 112211->112212 112213 2fdcc16 112212->112213 112214 2fdb030 LdrLoadDll 112213->112214 112215 2fdcc99 112213->112215 112214->112215 112216 2fdb030 LdrLoadDll 112215->112216 112217 2fdcd06 112216->112217 112218 2fdaf00 LdrLoadDll 112217->112218 112219 2fdcd6f 112218->112219 112220 2fdb030 LdrLoadDll 112219->112220 112221 2fdce1f 112220->112221 112221->111727 112225 2fd8d14 112222->112225 112294 2fdf6c0 112222->112294 112224 2fd8f25 112224->111682 112225->112224 112299 2fe4390 112225->112299 112227 2fd8d70 112227->112224 112302 2fd8ab0 112227->112302 112230 2fecef0 2 API calls 112231 2fd8db2 112230->112231 112232 2fed020 3 API calls 112231->112232 112237 2fd8dc7 112232->112237 112233 2fd7ea0 4 API calls 112233->112237 112236 2fdc7a0 18 API calls 112236->112237 112237->112224 112237->112233 112237->112236 112238 2fd8160 2 API calls 112237->112238 112307 2fdf660 112237->112307 112311 2fdf070 21 API calls 112237->112311 112238->112237 112239->111706 112240->111724 112241->112171 112243 2fdf29a 112242->112243 112251 2fdf350 112242->112251 112244 2fdb030 LdrLoadDll 112243->112244 112245 2fdf2bc 112244->112245 112252 2fe9f00 112245->112252 112247 2fdf2fe 112255 2fe9f40 112247->112255 112250 2fea450 2 API calls 112250->112251 112251->112178 112251->112179 112253 2feaf20 LdrLoadDll 112252->112253 112254 2fe9f1c 112253->112254 112254->112247 112256 2feaf20 LdrLoadDll 112255->112256 112257 2fe9f5c 112256->112257 112260 55335c0 LdrInitializeThunk 112257->112260 112258 2fdf344 112258->112250 112260->112258 112262 2fdb2c7 112261->112262 112263 2fdb030 LdrLoadDll 112262->112263 112264 2fdb303 112263->112264 112264->112187 112266 2fdd317 112265->112266 112274 2fdf700 112266->112274 112270 2fdd38b 112271 2fdd392 112270->112271 112285 2fea260 LdrLoadDll 112270->112285 112271->112211 112273 2fdd3a5 112273->112211 112275 2fdf725 112274->112275 112286 2fd81a0 112275->112286 112277 2fdd35f 112282 2fea6a0 112277->112282 112278 2fdf749 112278->112277 112279 2fe4a40 8 API calls 112278->112279 112281 2febd80 2 API calls 112278->112281 112293 2fdf540 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 112278->112293 112279->112278 112281->112278 112283 2feaf20 LdrLoadDll 112282->112283 112284 2fea6bf CreateProcessInternalW 112283->112284 112284->112270 112285->112273 112287 2fd829f 112286->112287 112288 2fd81b5 112286->112288 112287->112278 112288->112287 112289 2fe4a40 8 API calls 112288->112289 112290 2fd8222 112289->112290 112291 2febd80 2 API calls 112290->112291 112292 2fd8249 112290->112292 112291->112292 112292->112278 112293->112278 112295 2fe4e40 LdrLoadDll 112294->112295 112296 2fdf6df 112295->112296 112297 2fdf6ed 112296->112297 112298 2fdf6e6 SetErrorMode 112296->112298 112297->112225 112298->112297 112312 2fdf490 112299->112312 112301 2fe43b6 112301->112227 112303 2febd00 2 API calls 112302->112303 112305 2fd8ad5 112303->112305 112304 2fd8cea 112304->112230 112305->112304 112331 2fe9840 112305->112331 112308 2fdf673 112307->112308 112379 2fe9e50 112308->112379 112311->112237 112313 2fdf4ad 112312->112313 112319 2fe9f80 112313->112319 112316 2fdf4f5 112316->112301 112320 2feaf20 LdrLoadDll 112319->112320 112321 2fe9f9c 112320->112321 112329 5532f30 LdrInitializeThunk 112321->112329 112322 2fdf4ee 112322->112316 112324 2fe9fd0 112322->112324 112325 2feaf20 LdrLoadDll 112324->112325 112326 2fe9fec 112325->112326 112330 5532d10 LdrInitializeThunk 112326->112330 112327 2fdf51e 112327->112301 112329->112322 112330->112327 112332 2febf50 2 API calls 112331->112332 112333 2fe9857 112332->112333 112352 2fd9310 112333->112352 112335 2fe9872 112336 2fe9899 112335->112336 112337 2fe98b0 112335->112337 112338 2febd80 2 API calls 112336->112338 112339 2febd00 2 API calls 112337->112339 112340 2fe98a6 112338->112340 112341 2fe98ea 112339->112341 112340->112304 112342 2febd00 2 API calls 112341->112342 112343 2fe9903 112342->112343 112346 2fe9ba4 112343->112346 112358 2febd40 LdrLoadDll 112343->112358 112345 2fe9b89 112345->112346 112347 2fe9b90 112345->112347 112350 2febd80 2 API calls 112346->112350 112348 2febd80 2 API calls 112347->112348 112349 2fe9b9a 112348->112349 112349->112304 112351 2fe9bf9 112350->112351 112351->112304 112353 2fd9335 112352->112353 112354 2fdace0 LdrLoadDll 112353->112354 112355 2fd9368 112354->112355 112356 2fd938d 112355->112356 112359 2fdcf10 112355->112359 112356->112335 112358->112345 112360 2fdcf3c 112359->112360 112361 2fea1a0 LdrLoadDll 112360->112361 112362 2fdcf55 112361->112362 112363 2fdcf5c 112362->112363 112370 2fea1e0 112362->112370 112363->112356 112367 2fdcf97 112368 2fea450 2 API calls 112367->112368 112369 2fdcfba 112368->112369 112369->112356 112371 2feaf20 LdrLoadDll 112370->112371 112372 2fea1fc 112371->112372 112378 5532ca0 LdrInitializeThunk 112372->112378 112373 2fdcf7f 112373->112363 112375 2fea7d0 112373->112375 112376 2feaf20 LdrLoadDll 112375->112376 112377 2fea7ef 112376->112377 112377->112367 112378->112373 112380 2feaf20 LdrLoadDll 112379->112380 112381 2fe9e6c 112380->112381 112384 5532dd0 LdrInitializeThunk 112381->112384 112382 2fdf69e 112382->112237 112384->112382 112387 5532ad0 LdrInitializeThunk 112388 2fe9040 112389 2febd00 2 API calls 112388->112389 112391 2fe907b 112389->112391 112390 2fe915c 112391->112390 112392 2fdace0 LdrLoadDll 112391->112392 112393 2fe90b1 112392->112393 112394 2fe4e40 LdrLoadDll 112393->112394 112396 2fe90cd 112394->112396 112395 2fe90e0 Sleep 112395->112396 112396->112390 112396->112395 112399 2fe8c60 LdrLoadDll 112396->112399 112400 2fe8e70 LdrLoadDll 112396->112400 112399->112396 112400->112396 112401 53bcb84 112404 53ba042 112401->112404 112403 53bcba5 112405 53ba06b 112404->112405 112406 53ba182 NtQueryInformationProcess 112405->112406 112421 53ba56c 112405->112421 112408 53ba1ba 112406->112408 112407 53ba1ef 112407->112403 112408->112407 112409 53ba2db 112408->112409 112410 53ba290 112408->112410 112411 53ba2fc NtSuspendThread 112409->112411 112433 53b9de2 NtCreateSection NtMapViewOfSection NtClose 112410->112433 112413 53ba30d 112411->112413 112415 53ba331 112411->112415 112413->112403 112414 53ba2cf 112414->112403 112417 53ba412 112415->112417 112424 53b9bb2 112415->112424 112418 53ba531 112417->112418 112419 53ba4a6 NtSetContextThread 112417->112419 112420 53ba552 NtResumeThread 112418->112420 112423 53ba4bd 112419->112423 112420->112421 112421->112403 112422 53ba51c NtQueueApcThread 112422->112418 112423->112418 112423->112422 112425 53b9bf7 112424->112425 112426 53b9c66 NtCreateSection 112425->112426 112427 53b9ca0 112426->112427 112430 53b9d4e 112426->112430 112428 53b9cc1 NtMapViewOfSection 112427->112428 112429 53b9d0c 112428->112429 112428->112430 112429->112430 112431 53b9d88 112429->112431 112430->112417 112432 53b9dc5 NtClose 112431->112432 112432->112417 112433->112414

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • NtQueryInformationProcess.NTDLL ref: 053BA19F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502521224.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_53b0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InformationProcessQuery
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 1778838933-4108050209
                                                                                                                                                                            • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                            • Instruction ID: 334c78f7923972effc1022a6765a04f6ca2704ebb1b78c1ec66f4f7c4e821ab8
                                                                                                                                                                            • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                                                                            • Instruction Fuzzy Hash: 4BF14170A18A4C8FDBA5EF68C898AEEB7E0FF98304F40462ED54AD7650DF749641CB41

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 207 53b9baf-53b9bef 208 53b9bf7-53b9bfe 207->208 209 53b9bf2 call 53b9102 207->209 210 53b9c0c-53b9c9a call 53bb942 * 2 NtCreateSection 208->210 211 53b9c00 208->211 209->208 217 53b9d5a-53b9d68 210->217 218 53b9ca0-53b9d0a call 53bb942 NtMapViewOfSection 210->218 213 53b9c02-53b9c0a 211->213 213->210 213->213 221 53b9d0c-53b9d4c 218->221 222 53b9d52 218->222 224 53b9d69-53b9d6b 221->224 225 53b9d4e-53b9d4f 221->225 222->217 226 53b9d88-53b9ddc call 53bcd62 NtClose 224->226 227 53b9d6d-53b9d72 224->227 225->222 228 53b9d74-53b9d86 call 53b9172 227->228 228->226
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502521224.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_53b0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Section$CloseCreateView
                                                                                                                                                                            • String ID: @$@
                                                                                                                                                                            • API String ID: 1133238012-149943524
                                                                                                                                                                            • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                            • Instruction ID: 1d0de9121acc93b8b734459aa66f6d7b01b53cb6851478c18df3fe3d21478ccc
                                                                                                                                                                            • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                                                                            • Instruction Fuzzy Hash: 6561927021CB088FDB58EF58D8956AABBE0FF98314F50062EE68AC3651DF75D441CB86

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 266 53b9bb2-53b9bfe call 53b9102 269 53b9c0c-53b9c9a call 53bb942 * 2 NtCreateSection 266->269 270 53b9c00 266->270 276 53b9d5a-53b9d68 269->276 277 53b9ca0-53b9d0a call 53bb942 NtMapViewOfSection 269->277 272 53b9c02-53b9c0a 270->272 272->269 272->272 280 53b9d0c-53b9d4c 277->280 281 53b9d52 277->281 283 53b9d69-53b9d6b 280->283 284 53b9d4e-53b9d4f 280->284 281->276 285 53b9d88-53b9ddc call 53bcd62 NtClose 283->285 286 53b9d6d-53b9d72 283->286 284->281 287 53b9d74-53b9d86 call 53b9172 286->287 287->285
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502521224.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_53b0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Section$CreateView
                                                                                                                                                                            • String ID: @$@
                                                                                                                                                                            • API String ID: 1585966358-149943524
                                                                                                                                                                            • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                            • Instruction ID: 255e0f5bfdc243a284e7a2712aac6ba43422d22a47458df1b0070eadcc45bb78
                                                                                                                                                                            • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                                                                            • Instruction Fuzzy Hash: B5517F70618B088FD758DF18D895AAABBE0FB88314F50062EE68AC3651DF75D441CB86

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • NtQueryInformationProcess.NTDLL ref: 053BA19F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502521224.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_53b0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InformationProcessQuery
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 1778838933-4108050209
                                                                                                                                                                            • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                            • Instruction ID: 551645f47d0675eca6af42b94c5dc05ea8bac17b289a7dd056202bb7eb55cd2a
                                                                                                                                                                            • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B515E70918A8C8FEB69EF68C8946EEB7F0FB98305F40462ED54AD7610DF709645CB41

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 565 2fea320-2fea371 call 2feaf20 NtCreateFile
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,02FE4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02FE4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02FEA36D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID: .z`
                                                                                                                                                                            • API String ID: 823142352-1441809116
                                                                                                                                                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                            • Instruction ID: 3204c0a92a439f025c7ce7f17d17993a06a439e2d8de052441f0a9c55fbe9e9a
                                                                                                                                                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                            • Instruction Fuzzy Hash: 9CF0BDB2200208ABCB08CF88DC84EEB77ADAF8C754F158248FA0D97240C630E8118BA4
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtReadFile.NTDLL(02FE4D62,5EB65239,FFFFFFFF,02FE4A21,?,?,02FE4D62,?,02FE4A21,FFFFFFFF,5EB65239,02FE4D62,?,00000000), ref: 02FEA415
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                            • Instruction ID: aad779ced38d02b672395314e80917fd8ee60fe2618ec6d285f7a45aaf304975
                                                                                                                                                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                            • Instruction Fuzzy Hash: 3DF0A4B2200208ABCB14DF89DC80EEB77ADAF8C754F158248BA1D97245D630E8118BA0
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02FD2D11,00002000,00003000,00000004), ref: 02FEA539
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateMemoryVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2167126740-0
                                                                                                                                                                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                            • Instruction ID: 791ae7e7ef9137d15806d31cec429061b812e1a2fafc8ec6b67a5b0f9b0d2ee0
                                                                                                                                                                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                            • Instruction Fuzzy Hash: 93F015B2200208ABCB14DF89DC80EAB77ADAF88754F118148FE0997241C630F810CBB0
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02FD2D11,00002000,00003000,00000004), ref: 02FEA539
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateMemoryVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2167126740-0
                                                                                                                                                                            • Opcode ID: 4e0d8033807141b7815a619b56b0a309f13dcba26b20c43bcee8e4998eb50e7a
                                                                                                                                                                            • Instruction ID: 3f036164a09e1575375ae6f55757e0e91027f22439b746f63c7236da2dabad6b
                                                                                                                                                                            • Opcode Fuzzy Hash: 4e0d8033807141b7815a619b56b0a309f13dcba26b20c43bcee8e4998eb50e7a
                                                                                                                                                                            • Instruction Fuzzy Hash: 32F030B62001496BCB15DF98DC84CA777A9BF88254B15865DFD499B206C634D815CBB0
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtClose.NTDLL(02FE4D40,?,?,02FE4D40,00000000,FFFFFFFF), ref: 02FEA475
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Close
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3535843008-0
                                                                                                                                                                            • Opcode ID: 072bdcd647c6d36830f8f6c12112151eb3ad9b3d11557e58530cd4f796fef379
                                                                                                                                                                            • Instruction ID: c971e0a7b8f34cd4e0c277556764bba7bc93f4cc02e2a85abf9996c98b488f14
                                                                                                                                                                            • Opcode Fuzzy Hash: 072bdcd647c6d36830f8f6c12112151eb3ad9b3d11557e58530cd4f796fef379
                                                                                                                                                                            • Instruction Fuzzy Hash: F1E0C272200204AFDB20DFA8DC88FEB7B68EF44350F154559FA0DDB282C531E6008BA0
                                                                                                                                                                            APIs
                                                                                                                                                                            • NtClose.NTDLL(02FE4D40,?,?,02FE4D40,00000000,FFFFFFFF), ref: 02FEA475
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Close
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3535843008-0
                                                                                                                                                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                            • Instruction ID: a63239a23d9ed8e2b207f43d3a2e194ccc5b9949ab15c5000a69f843cd7658eb
                                                                                                                                                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                            • Instruction Fuzzy Hash: 4CD01776200214ABDB10EB98DC85EA77BADEF88760F154499BA199B242C530FA008AE0
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 43944af95855134b3a38f04c544d4945e66a9dc096fad43ac3413cca369d9eb7
                                                                                                                                                                            • Instruction ID: c94edce7b9ad96601675ec3326aa79f10b4951d0d2ff4ed3f79af42a602d0107
                                                                                                                                                                            • Opcode Fuzzy Hash: 43944af95855134b3a38f04c544d4945e66a9dc096fad43ac3413cca369d9eb7
                                                                                                                                                                            • Instruction Fuzzy Hash: 1290023A21340002D1807159544860A006597D1216FD9D415A0015598CCD5589695721
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 97b6bd5e962619136e4b8ff38eaaa985feb23bcc4a68788ca90379a744046f0d
                                                                                                                                                                            • Instruction ID: b0a52b8b8e790747f0b5ed33d73446fc0db488f200b96d74a57ef6a21100a67e
                                                                                                                                                                            • Opcode Fuzzy Hash: 97b6bd5e962619136e4b8ff38eaaa985feb23bcc4a68788ca90379a744046f0d
                                                                                                                                                                            • Instruction Fuzzy Hash: CA900232242441525545B15944445074066A7E02557D9C012A1414990C89669956DA21
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 463fb53dc4218ff3bbf8d57864d23dfefef29716f0be9322673a8cc27d548bf6
                                                                                                                                                                            • Instruction ID: 8b9077081785fa097e4088e966b156ec2e6c88e88301b5804041403dc85b7d8b
                                                                                                                                                                            • Opcode Fuzzy Hash: 463fb53dc4218ff3bbf8d57864d23dfefef29716f0be9322673a8cc27d548bf6
                                                                                                                                                                            • Instruction Fuzzy Hash: D890023220140413D11171594544707006997D0255FD9C412A0424598D9A968A52A521
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 085d9ccb177c9d2f60ceb5fc2bae94b0a0d19a87f852a059ead265a1c1b307c7
                                                                                                                                                                            • Instruction ID: 3bc3da37c19937c06c4b0f081a16d97a9f797e167a0ecc81f3487a8a0090d98f
                                                                                                                                                                            • Opcode Fuzzy Hash: 085d9ccb177c9d2f60ceb5fc2bae94b0a0d19a87f852a059ead265a1c1b307c7
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A90023220148802D1107159844474A006597D0315F9DC411A4424698D8AD589917521
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 7e2ba51ce5aaa229ee740647bb48af62af73e24be231f0f11cc471cc891cf2c8
                                                                                                                                                                            • Instruction ID: 518d4ed295af32ead595bdc76b67b754daaaa7b74872b740feabed199f1b57ae
                                                                                                                                                                            • Opcode Fuzzy Hash: 7e2ba51ce5aaa229ee740647bb48af62af73e24be231f0f11cc471cc891cf2c8
                                                                                                                                                                            • Instruction Fuzzy Hash: B990023220140842D10071594444B46006597E0315F99C016A0124694D8A55C9517921
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 81d0f8e1fdb7007bbae64eb253b01b7b1a38aa152b6cc46a10891f42055b845d
                                                                                                                                                                            • Instruction ID: 70c9db3e20c9b0b4c51c81da54321ecd09ff96641b4a45534cc9df221d63c739
                                                                                                                                                                            • Opcode Fuzzy Hash: 81d0f8e1fdb7007bbae64eb253b01b7b1a38aa152b6cc46a10891f42055b845d
                                                                                                                                                                            • Instruction Fuzzy Hash: 1290023220140402D10075995448646006597E0315F99D011A5024595ECAA589916531
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: eea943f01d45a179b2b74fb0ae0fe62b8e5443c39ed3aa00f9edc2d1ddbd4d07
                                                                                                                                                                            • Instruction ID: 69b235e8f972405b455155fbcba164c96d6d6502c98746e0cec5c6f778a1dabb
                                                                                                                                                                            • Opcode Fuzzy Hash: eea943f01d45a179b2b74fb0ae0fe62b8e5443c39ed3aa00f9edc2d1ddbd4d07
                                                                                                                                                                            • Instruction Fuzzy Hash: F190027234140442D10071594454B060065D7E1315F99C015E1064594D8A59CD526526
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: ce2e0310dfba375e9ab67b5f583a75b1b67ba7c20916702ec0a8e12a5fa7b329
                                                                                                                                                                            • Instruction ID: ee1579c339182ffeddae15d8f44051ad7bb756a66da641b9c706c8536220be9c
                                                                                                                                                                            • Opcode Fuzzy Hash: ce2e0310dfba375e9ab67b5f583a75b1b67ba7c20916702ec0a8e12a5fa7b329
                                                                                                                                                                            • Instruction Fuzzy Hash: 39900232211C0042D20075694C54B07006597D0317F99C115A0154594CCD5589615921
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: edd80a3945fe6abfdaaf6e649d88b6b448e4612d7e7768131d154e096cd314c5
                                                                                                                                                                            • Instruction ID: 531c3387833bb82782384b666698a3ebf4162f327b76f58207dcb7988ae7edf4
                                                                                                                                                                            • Opcode Fuzzy Hash: edd80a3945fe6abfdaaf6e649d88b6b448e4612d7e7768131d154e096cd314c5
                                                                                                                                                                            • Instruction Fuzzy Hash: 1890027220140402D14071594444746006597D0315F99C011A5064594E8A998ED56A65
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 53367e3a597fba12fd180acf9372282b628a43cc9cdecb8f57b9f07cf9985bec
                                                                                                                                                                            • Instruction ID: a9a2c08b7b08e19a34ffff700478c191085a95a60d9ce68dd1a138b3ec04e88a
                                                                                                                                                                            • Opcode Fuzzy Hash: 53367e3a597fba12fd180acf9372282b628a43cc9cdecb8f57b9f07cf9985bec
                                                                                                                                                                            • Instruction Fuzzy Hash: F790027220240003410571594454616406A97E0215B99C021E10145D0DC96589916525
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: a0ecba97dc89f7c748ec7dd2de4b349adec35c4ad06902d11b179876ca36beb0
                                                                                                                                                                            • Instruction ID: 4f6eeea06b8d5a83df8c20d3ce1b33b08cee70070ceef1d9c8894579aef6bc87
                                                                                                                                                                            • Opcode Fuzzy Hash: a0ecba97dc89f7c748ec7dd2de4b349adec35c4ad06902d11b179876ca36beb0
                                                                                                                                                                            • Instruction Fuzzy Hash: BB90023220140802D1807159444464A006597D1315FD9C015A0025694DCE558B597BA1
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 1f46cf7ccbb169e9b255f7ef5dcd2517ed31bdf76310ab38af56e0c19a0bd111
                                                                                                                                                                            • Instruction ID: 30bc8bd77c19d408a4eec0d8ef7bc56fbbb2cb859526a666c7bb5d5f3bfb47bd
                                                                                                                                                                            • Opcode Fuzzy Hash: 1f46cf7ccbb169e9b255f7ef5dcd2517ed31bdf76310ab38af56e0c19a0bd111
                                                                                                                                                                            • Instruction Fuzzy Hash: B190023220544842D14071594444A46007597D0319F99C011A00646D4D9A658E55BA61
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: e9c818548ff6ca868474df70b672e83f99aa0d184e5ea96e958930b443ab8624
                                                                                                                                                                            • Instruction ID: 1e9383d5d567775d7c0c7ca71ac3d542fc3f485b452a7569b1a61ec2335199c3
                                                                                                                                                                            • Opcode Fuzzy Hash: e9c818548ff6ca868474df70b672e83f99aa0d184e5ea96e958930b443ab8624
                                                                                                                                                                            • Instruction Fuzzy Hash: EE900236211400030105B559074450700A697D5365399C021F1015590CDA6189615521
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: 797df2e42d470d24fa62a2f9a165e52dff73e73c55a9a3c50f28ba84811a4a82
                                                                                                                                                                            • Instruction ID: daca135c0b27410f34b740961cf667a7af79ebc5519dbc38118aaadc4e19058c
                                                                                                                                                                            • Opcode Fuzzy Hash: 797df2e42d470d24fa62a2f9a165e52dff73e73c55a9a3c50f28ba84811a4a82
                                                                                                                                                                            • Instruction Fuzzy Hash: FC90023260550402D10071594554706106597D0215FA9C411A04245A8D8BD58A5169A2

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 412 2fe9039-2fe903b 413 2fe903d-2fe9082 call 2febd00 412->413 414 2fe9012-2fe9035 call 2feab90 * 2 412->414 422 2fe915c-2fe9162 413->422 423 2fe9088-2fe90d8 call 2febdd0 call 2fdace0 call 2fe4e40 413->423 433 2fe90e0-2fe90f1 Sleep 423->433 434 2fe9156-2fe915a 433->434 435 2fe90f3-2fe90f9 433->435 434->422 434->433 436 2fe90fb-2fe9121 call 2fe8c60 435->436 437 2fe9123-2fe9144 call 2fe8e70 435->437 440 2fe9149-2fe914c 436->440 437->440 440->434
                                                                                                                                                                            APIs
                                                                                                                                                                            • Sleep.KERNELBASE(000007D0), ref: 02FE90E8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                            • String ID: POST$net.dll$wininet.dll
                                                                                                                                                                            • API String ID: 3472027048-3140911592
                                                                                                                                                                            • Opcode ID: 2fabf06087d7dbdebd15fe48f2a5d0200f9a394fe5be0fa845555d94c3346e94
                                                                                                                                                                            • Instruction ID: 22912b2c677378bee53cbf556acf916f42d0f074a5687be3a6f427aa268202b8
                                                                                                                                                                            • Opcode Fuzzy Hash: 2fabf06087d7dbdebd15fe48f2a5d0200f9a394fe5be0fa845555d94c3346e94
                                                                                                                                                                            • Instruction Fuzzy Hash: 7131C3B2900304AFDB16EF64CC85FABB7B9FF48B44F008159E71A5B241D774A510CBA5

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 442 2fe9040-2fe9082 call 2febd00 445 2fe915c-2fe9162 442->445 446 2fe9088-2fe90d8 call 2febdd0 call 2fdace0 call 2fe4e40 442->446 453 2fe90e0-2fe90f1 Sleep 446->453 454 2fe9156-2fe915a 453->454 455 2fe90f3-2fe90f9 453->455 454->445 454->453 456 2fe90fb-2fe9121 call 2fe8c60 455->456 457 2fe9123-2fe9144 call 2fe8e70 455->457 460 2fe9149-2fe914c 456->460 457->460 460->454
                                                                                                                                                                            APIs
                                                                                                                                                                            • Sleep.KERNELBASE(000007D0), ref: 02FE90E8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                            • String ID: net.dll$wininet.dll
                                                                                                                                                                            • API String ID: 3472027048-1269752229
                                                                                                                                                                            • Opcode ID: e000aacb62b8a3652c6929c748928486c5a2ca362115a4fae910f14d5476fb0a
                                                                                                                                                                            • Instruction ID: fb470756b39188ab5be68c8feb38aa143ee100897cd4c6824bd75e47f59574f3
                                                                                                                                                                            • Opcode Fuzzy Hash: e000aacb62b8a3652c6929c748928486c5a2ca362115a4fae910f14d5476fb0a
                                                                                                                                                                            • Instruction Fuzzy Hash: F131A1B2900745BBCB25EF64CC85F67B7B9BB48B40F00841DF72A6B244D774A610CBA8

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 568 2fea630-2fea661 call 2feaf20 RtlFreeHeap
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02FD3AF8), ref: 02FEA65D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeHeap
                                                                                                                                                                            • String ID: .z`
                                                                                                                                                                            • API String ID: 3298025750-1441809116
                                                                                                                                                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                            • Instruction ID: db81d2ac0e216f77ea1611f0a3eba470d7f9bcfb5afb6b2cc5df936fbad578b3
                                                                                                                                                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                            • Instruction Fuzzy Hash: 87E046B2200208ABDB18EF99DC48EA777ADEF88750F018558FE095B241C630F910CAF0

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 571 2fd82d4-2fd82d8 572 2fd82da-2fd82db 571->572 573 2fd8331-2fd8343 call 2fdace0 571->573 574 2fd82dd-2fd82e1 572->574 575 2fd8347-2fd835a call 2fe4e40 572->575 573->575 577 2fd82eb-2fd82fd call 2feb710 574->577 578 2fd82e6 call 2feb860 574->578 583 2fd835c-2fd836e PostThreadMessageW 575->583 584 2fd838e-2fd8392 575->584 578->577 586 2fd838d 583->586 587 2fd8370-2fd838b call 2fda470 PostThreadMessageW 583->587 586->584 587->586
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02FD836A
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02FD838B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: 3cd68d5f4df2f7854b91b3850f7326d4ebd83a89e24b4fa0936c5360ac438ba6
                                                                                                                                                                            • Instruction ID: eec5f47e40e3f7e38f7ec115f46fe6354e39258dcab3525228166fbde8092fdf
                                                                                                                                                                            • Opcode Fuzzy Hash: 3cd68d5f4df2f7854b91b3850f7326d4ebd83a89e24b4fa0936c5360ac438ba6
                                                                                                                                                                            • Instruction Fuzzy Hash: CC01403194021D77DB1176645C02FFE735AAB447D4F0D0155FF08EB181D6556D0747E5

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 590 2fd830c-2fd831f 591 2fd8328-2fd832d 590->591 592 2fd8323 call 2febe20 590->592 593 2fd8333-2fd833d 591->593 594 2fd832e call 2fec9c0 591->594 592->591 595 2fd8343-2fd835a call 2fe4e40 593->595 596 2fd833e call 2fdace0 593->596 594->593 600 2fd835c-2fd836e PostThreadMessageW 595->600 601 2fd838e-2fd8392 595->601 596->595 602 2fd838d 600->602 603 2fd8370-2fd838b call 2fda470 PostThreadMessageW 600->603 602->601 603->602
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02FD836A
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02FD838B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: 95b89736bd2c56b3cb494776ab9b1cb32613f0429a47a9058ba99c0de4bde964
                                                                                                                                                                            • Instruction ID: 93ec033dfef89a9f1f5be36e7d1c9471c740755424380c0733a605f67f53a4c8
                                                                                                                                                                            • Opcode Fuzzy Hash: 95b89736bd2c56b3cb494776ab9b1cb32613f0429a47a9058ba99c0de4bde964
                                                                                                                                                                            • Instruction Fuzzy Hash: 2401F731A802287BEB21A7908C02FFE7B2DAB41B95F080119FF04FA1C1D6956A064BF5

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 606 2fd8310-2fd832d call 2febe20 609 2fd8333-2fd833d 606->609 610 2fd832e call 2fec9c0 606->610 611 2fd8343-2fd835a call 2fe4e40 609->611 612 2fd833e call 2fdace0 609->612 610->609 616 2fd835c-2fd836e PostThreadMessageW 611->616 617 2fd838e-2fd8392 611->617 612->611 618 2fd838d 616->618 619 2fd8370-2fd838b call 2fda470 PostThreadMessageW 616->619 618->617 619->618
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02FD836A
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02FD838B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
                                                                                                                                                                            • Instruction ID: 65f659ab33d68c5122169cf286428fe984a9d4d7d220436a8c603705033bf884
                                                                                                                                                                            • Opcode Fuzzy Hash: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
                                                                                                                                                                            • Instruction Fuzzy Hash: 5501A231A8022877EB21A6949C02FBE776D6B40BD0F080119FF04BA1C1E6A56A064BF6

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 622 2fd8393-2fd8394 call 2fec9c0 626 2fd8343-2fd835a call 2fe4e40 622->626 627 2fd833e call 2fdace0 622->627 631 2fd835c-2fd836e PostThreadMessageW 626->631 632 2fd838e-2fd8392 626->632 627->626 633 2fd838d 631->633 634 2fd8370-2fd838b call 2fda470 PostThreadMessageW 631->634 633->632 634->633
                                                                                                                                                                            APIs
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02FD836A
                                                                                                                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02FD838B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1836367815-0
                                                                                                                                                                            • Opcode ID: 2df74a0404955b31a616bd68eedadb7d239b1aad443de23c0a6886ee65028ba3
                                                                                                                                                                            • Instruction ID: 684cd53f96860bad2d04204c9eb1ffcf97f233a360abddc75f9f8e1596252fdd
                                                                                                                                                                            • Opcode Fuzzy Hash: 2df74a0404955b31a616bd68eedadb7d239b1aad443de23c0a6886ee65028ba3
                                                                                                                                                                            • Instruction Fuzzy Hash: 8EF0C232A8022877EB216B545C02FBE372A5B41BD0F094559FF48BA1C0D6966A074AE5
                                                                                                                                                                            APIs
                                                                                                                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02FDAD52
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Load
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2234796835-0
                                                                                                                                                                            • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                            • Instruction ID: ccf6a36f6b0ad4c4471e0b8f1fa294ee4d470de332d6b1e5e7759651197794c1
                                                                                                                                                                            • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                                            • Instruction Fuzzy Hash: 380171B5D0020DABDF10DBE4DC41FDDB3799B04348F044195EA0997240FA30E714CB91
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02FEA6F4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateInternalProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2186235152-0
                                                                                                                                                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                            • Instruction ID: ad945675d3caa35fe305f3ebbf4edfb1a1d1e257e4e28429935fb80c7f607191
                                                                                                                                                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                            • Instruction Fuzzy Hash: F201AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97244C630E851CBA4
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02FDF040,?,?,00000000), ref: 02FE91AC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2422867632-0
                                                                                                                                                                            • Opcode ID: ee06839627b3fc3384d27bf63a2734d2a2dac8c628ec9485e691761f4e1bbd4e
                                                                                                                                                                            • Instruction ID: 2c3044217f4c66babf613ce81f84599a09844b11a1f60e07c8ea2c01c7e401e8
                                                                                                                                                                            • Opcode Fuzzy Hash: ee06839627b3fc3384d27bf63a2734d2a2dac8c628ec9485e691761f4e1bbd4e
                                                                                                                                                                            • Instruction Fuzzy Hash: 17E092333903047AE7316999AC02FA7B39DCB91B60F54002AFB0EEB6C0D595F80146A5
                                                                                                                                                                            APIs
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,02FDF1C2,02FDF1C2,?,00000000,?,?), ref: 02FEA7C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                                                            • Opcode ID: 168cac75de418dd5d78c3e1ea1901aa3c15827ab00108cf7070bcb5015934051
                                                                                                                                                                            • Instruction ID: 93ff9c4b6bbe7c826589e61712298f1fe353184ac6fe09f51a9c84b9acf6d370
                                                                                                                                                                            • Opcode Fuzzy Hash: 168cac75de418dd5d78c3e1ea1901aa3c15827ab00108cf7070bcb5015934051
                                                                                                                                                                            • Instruction Fuzzy Hash: ACF0EDB2200204ABDF24DF54DC85EE733A9EF89354F1180A9F90D6B241CA35A805CBB0
                                                                                                                                                                            APIs
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,02FDF1C2,02FDF1C2,?,00000000,?,?), ref: 02FEA7C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LookupPrivilegeValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3899507212-0
                                                                                                                                                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                            • Instruction ID: 2a3f8b733efe1c9b76eb215dd4878ca21340d3b4ba9aa7b87b3e9e57159465a1
                                                                                                                                                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                            • Instruction Fuzzy Hash: C2E01AB22002086BDB10DF49DC84EE737ADAF88650F018154FA0957241C930E8108BF5
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(02FE4526,?,02FE4C9F,02FE4C9F,?,02FE4526,?,?,?,?,?,00000000,00000000,?), ref: 02FEA61D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                            • Instruction ID: 243ba74be90faad79ffc1e8d5b9758d14a3b5b63c6537c91a17670c46af4b4f9
                                                                                                                                                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                            • Instruction Fuzzy Hash: 15E046B2200208ABDB14EF99DC40EA777ADEF88754F118558FE095B241C630F910CBF0
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetErrorMode.KERNELBASE(00008003,?,02FD8D14,?), ref: 02FDF6EB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501696290.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02FD0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_2fd0000_cscript.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorMode
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                                                            • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                            • Instruction ID: defd54e898c19533ac825380818b641b6d5f0775c88cd7710dabb8e8d64b1241
                                                                                                                                                                            • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                                                                            • Instruction Fuzzy Hash: 30D0A7767503043BEA10FBA49C03F2733CD5B44B44F494074FA4AD73C3D954E4004565
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeThunk
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2994545307-0
                                                                                                                                                                            • Opcode ID: a47871995dd858c6a0ee0e088891d5a6ca478d734b32696cb525dd372ca8dbc0
                                                                                                                                                                            • Instruction ID: 0df08a6ac598efe5f4c91f5bdef1f4d1033c0533b3a1eac0be183fccbfc1df97
                                                                                                                                                                            • Opcode Fuzzy Hash: a47871995dd858c6a0ee0e088891d5a6ca478d734b32696cb525dd372ca8dbc0
                                                                                                                                                                            • Instruction Fuzzy Hash: 5AB02B328018C4C5DB00F3200608B173A1077C0300F19C021D2030282F0738C0C0E171
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,?,00000000,00000000), ref: 0078750C
                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,?), ref: 00787536
                                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 00787565
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00787576
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00787587
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000), ref: 0078F7C8
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0078F7D8
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,?,00000000,00000000), ref: 0078F7FB
                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,00000000,00000000), ref: 0078F81E
                                                                                                                                                                            • RegisterEventSourceW.ADVAPI32(00000000,Windows Script Host), ref: 0078F87F
                                                                                                                                                                            • GetUserNameW.ADVAPI32(?,00000100), ref: 0078F8A1
                                                                                                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 0078F8D1
                                                                                                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 0078F93E
                                                                                                                                                                            • ReportEventW.ADVAPI32(?,00000010,00000000,C0FF03E8,00000000,00000001,00000000,?,00000000), ref: 0078F9AB
                                                                                                                                                                            • DeregisterEventSource.ADVAPI32(?), ref: 0078F9B2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EventNameOpen$AccountByteCharCloseLookupMultiSourceWide$DeregisterFreeRegisterReportStringUser__alloca_probe_16
                                                                                                                                                                            • String ID: LogSecurityFailures$LogSecuritySuccesses$Software\Microsoft\Windows Script Host\Settings$Windows Script Host
                                                                                                                                                                            • API String ID: 1645720072-2261343319
                                                                                                                                                                            • Opcode ID: 86f4e955163d14809f17682a00366a8347b3df43e788febd2df2f49da721f912
                                                                                                                                                                            • Instruction ID: addf74b7512959c9902204fca1c8e3ca0fc976858a453220abcad1f734c96e63
                                                                                                                                                                            • Opcode Fuzzy Hash: 86f4e955163d14809f17682a00366a8347b3df43e788febd2df2f49da721f912
                                                                                                                                                                            • Instruction Fuzzy Hash: 33818570A81218BBDB30AF64DC4DFEA7778AB08700F1041E5F509A6191DB789E85CF91
                                                                                                                                                                            APIs
                                                                                                                                                                            • FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,00000000,?,00000000,0078B95E,?), ref: 0078BD1E
                                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 0078BD2F
                                                                                                                                                                            • LocalFree.KERNEL32(00000000,?,00000000,0078B95E,?), ref: 0078BD51
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,0078B95E,?), ref: 007914B1
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000,0078B95E,?), ref: 007914D8
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 007914E4
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000000,00000000,00000000,?,00000000,0078B95E,?), ref: 007914FF
                                                                                                                                                                            • FormatMessageA.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00000000,0078B95E,?), ref: 0079151B
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,00000000,?,00000000,0078B95E,?), ref: 0079152E
                                                                                                                                                                            • LocalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,0078B95E,?), ref: 00791543
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,00000000,?,00000000,0078B95E,?), ref: 0079155D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$AllocFormatLocalMessage$ErrorFreeLastString__alloca_probe_16
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 488895409-0
                                                                                                                                                                            • Opcode ID: 6176b019add25b80f808be07f4574c12505bda8a69680f2d8980034c94279fbe
                                                                                                                                                                            • Instruction ID: 0b3a75cc2a4e5b3be46ca73539f06c8ad99209bf230068a645fb811728999321
                                                                                                                                                                            • Opcode Fuzzy Hash: 6176b019add25b80f808be07f4574c12505bda8a69680f2d8980034c94279fbe
                                                                                                                                                                            • Instruction Fuzzy Hash: 1C41947094112ABBCF215B969C08EEF7F7CEF4A760F108116F815A21A0EB388911CBF5
                                                                                                                                                                            APIs
                                                                                                                                                                            • CoCreateInstance.OLE32(0078373C,00000000,00000001,007837AC,?,00000000,00000000,?), ref: 0078CDE6
                                                                                                                                                                            • CoCreateInstance.OLE32(0078374C,00000000,00000001,007837AC,?), ref: 0078CDFA
                                                                                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00787E84,00000000), ref: 0078CE11
                                                                                                                                                                            • CoGetClassObject.OLE32(0078376C,00000001,00000000,0078375C,?), ref: 0078CEB7
                                                                                                                                                                            • CreateBindCtx.OLE32(00000000,00000000), ref: 0078D062
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create$Instance$BindClassDefaultObjectUser
                                                                                                                                                                            • String ID: WSH$WScript
                                                                                                                                                                            • API String ID: 1420412123-1019903269
                                                                                                                                                                            • Opcode ID: 754697b56cd871b5c143f383af79e1aec579ffcf7cc0d3c7bee663901d97f190
                                                                                                                                                                            • Instruction ID: 854dfb16c039052e03e931906e1bdc16ca76f8c11a921a157a7f93a0395521a1
                                                                                                                                                                            • Opcode Fuzzy Hash: 754697b56cd871b5c143f383af79e1aec579ffcf7cc0d3c7bee663901d97f190
                                                                                                                                                                            • Instruction Fuzzy Hash: 8912D5B0B40205DFDB14EF55D895A6D7BB2FF88310F154069E602A73A0DF79AC42CB95
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0078DC2D
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 0078DC3C
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0078DC45
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 0078DC4E
                                                                                                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 0078DC63
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1445889803-0
                                                                                                                                                                            • Opcode ID: 0c07b475f0cb618ae367e66380b68acf424261c7174372df49ade5773a8faf2b
                                                                                                                                                                            • Instruction ID: 8f335cc56d66c0c6304daa3e2eb3d63e8d863ccd4d716224f926752aed3f8345
                                                                                                                                                                            • Opcode Fuzzy Hash: 0c07b475f0cb618ae367e66380b68acf424261c7174372df49ade5773a8faf2b
                                                                                                                                                                            • Instruction Fuzzy Hash: C9114871E41209EFCF20DBB9D948AAEB7F4FF48314F51886AD401E7260E7389A01CB54
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0078DBC0: malloc.MSVCRT ref: 0078DBD8
                                                                                                                                                                              • Part of subcall function 0078647E: GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,00786542,00001000,?,?), ref: 007864A8
                                                                                                                                                                              • Part of subcall function 0078647E: HeapAlloc.KERNEL32(00000000,?,00786542,00001000,?,?), ref: 007864AF
                                                                                                                                                                            • CLSIDFromString.OLE32(?,00787F49,00001000,?,?), ref: 00786557
                                                                                                                                                                            • CoCreateInstance.OLE32(00787F49,00000000,00000017,00783BD4,00000000,?,?), ref: 00786578
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Heap$AllocCreateFromInstanceProcessStringmalloc
                                                                                                                                                                            • String ID: WSH$WScript
                                                                                                                                                                            • API String ID: 3077083409-1019903269
                                                                                                                                                                            • Opcode ID: d9b9732efc7a3aada129ffd93e433686f6cc7b7e28ba39b7308b565795a8c0fb
                                                                                                                                                                            • Instruction ID: daf7de8eeaac96c178194c40d157706b5731b2e2bc68b2b648942d130871891b
                                                                                                                                                                            • Opcode Fuzzy Hash: d9b9732efc7a3aada129ffd93e433686f6cc7b7e28ba39b7308b565795a8c0fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 169114B5B41525AFCB10EF18D891B6D77A1BF8C720F16006ADA02AB350DB39EC038BD5
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0078DDE0,007813B4), ref: 0078DCB1
                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(0078DDE0,?,0078DDE0,007813B4), ref: 0078DCBA
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(C0000409,?,0078DDE0,007813B4), ref: 0078DCC5
                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,0078DDE0,007813B4), ref: 0078DCCC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3231755760-0
                                                                                                                                                                            • Opcode ID: 9742be46727bb486eeeed10686a78dcf739460f4b10cd8029c3b69aacd6b2231
                                                                                                                                                                            • Instruction ID: 7cd4b565e93f3840ee9690532f23853e32763ccc55be4f5c8d9fd8fb161e57a9
                                                                                                                                                                            • Opcode Fuzzy Hash: 9742be46727bb486eeeed10686a78dcf739460f4b10cd8029c3b69aacd6b2231
                                                                                                                                                                            • Instruction Fuzzy Hash: 0BD0C932001504BBDB002BF9FC0DA693E28EB44216F048102F30982120EA3B44538BAA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: WScript.CreateObject
                                                                                                                                                                            • API String ID: 0-1366894974
                                                                                                                                                                            • Opcode ID: 2b083f2b5bc3bd1a354c0b1b19e8967f7084e834a4686a32433275494cdea73f
                                                                                                                                                                            • Instruction ID: c204abb2108024be2b3c9db050c4ba6ba1571222433d5ceea05aa7f3057dc8dc
                                                                                                                                                                            • Opcode Fuzzy Hash: 2b083f2b5bc3bd1a354c0b1b19e8967f7084e834a4686a32433275494cdea73f
                                                                                                                                                                            • Instruction Fuzzy Hash: DFA1B0B1204A22DFCB11DF14E895A2AB7E5FF88720F15852DF94697390DB38EC05CB96
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,00786542,00001000,?,?), ref: 007864A8
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00786542,00001000,?,?), ref: 007864AF
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000038,00000000,?,00786542,00001000,?,?), ref: 0078E8CA
                                                                                                                                                                            • HeapFree.KERNEL32(00000000,?,00786542,00001000,?,?), ref: 0078E8D1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 756756679-0
                                                                                                                                                                            • Opcode ID: e67e09bd92168d4f54a11b114d767c888088143caa4ec913b62a43f472ea07c0
                                                                                                                                                                            • Instruction ID: 14e03fdf77517879d3a701a61a97e8ffe8d6abb5931e379526789281e57f6e23
                                                                                                                                                                            • Opcode Fuzzy Hash: e67e09bd92168d4f54a11b114d767c888088143caa4ec913b62a43f472ea07c0
                                                                                                                                                                            • Instruction Fuzzy Hash: C3F0AF31584241FBD7246FA89D09B2A76A8EB00732F24C52AF24DCB190EA7DC9808799
                                                                                                                                                                            APIs
                                                                                                                                                                            • InitializeCriticalSection.KERNEL32(00799498,00798AD8,000000A0,00786E82), ref: 0078A9E8
                                                                                                                                                                            • GetVersionExA.KERNEL32(00000094), ref: 0078AA06
                                                                                                                                                                              • Part of subcall function 0078AADC: GetUserDefaultLCID.KERNEL32 ref: 0078AAFD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CriticalDefaultInitializeSectionUserVersion
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 340135912-0
                                                                                                                                                                            • Opcode ID: 414d5c10674cf8b7dbd54bb08ed24d1f358092cb00573b975c56cbbf38b61baa
                                                                                                                                                                            • Instruction ID: c334faab5b8de9374c62a6371f5caee0cacdaece61b24be968443367a91858a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 414d5c10674cf8b7dbd54bb08ed24d1f358092cb00573b975c56cbbf38b61baa
                                                                                                                                                                            • Instruction Fuzzy Hash: 3411C630680388EEFB25AF699D0979B77B0E741315F00C49FD156926A0D33C454ADF2B
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegCreateKeyExW.ADVAPI32(?,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,00000000,00020019,00000000,?,00000000,-00000001,?,-00000004,?,?,007871FE,80000002), ref: 007875EF
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,Timeout,00000000,007871FE,?,00000004,?,00000000,00000000,00000000,00020019,00000000,?,00000000,?,00000000), ref: 00787628
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,00020019,00000000,?,00000000,?,00000000,00000000,00000000,?,?,007871FE), ref: 00787685
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,-00000001,?,-00000004,?,?,007871FE,80000002,?), ref: 0078F9FD
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,007871FE,80000002,?), ref: 0078FA09
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Timeout,000000FF,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 0078FA92
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0078FA9E
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Timeout,000000FF,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 0078FAB9
                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,007871FE,?,00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00020019,00000000), ref: 0078FAD5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$QueryValue$CloseCreateErrorLast__alloca_probe_16
                                                                                                                                                                            • String ID: DisplayLogo$Software\Microsoft\Windows Script Host\Settings$Timeout
                                                                                                                                                                            • API String ID: 907685128-512383463
                                                                                                                                                                            • Opcode ID: 2e4debd6f8cbcdf349dbaebc85f664d97995a4f492522eb02e987d0febdc2052
                                                                                                                                                                            • Instruction ID: a929b999748795480cc936050aaed6b26cf80f7246d63f51012eb70c3f06e9a4
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e4debd6f8cbcdf349dbaebc85f664d97995a4f492522eb02e987d0febdc2052
                                                                                                                                                                            • Instruction Fuzzy Hash: A2511B71BC4315BBE724A768CC06F6A77689B04B20F208125F615FA1D0E7ACED40C7D6
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcessHeap.KERNEL32 ref: 007868E3
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 007868EA
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00786925
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00786930
                                                                                                                                                                            • SafeArrayGetElement.OLEAUT32(?,00000000,?), ref: 00786941
                                                                                                                                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 0078696F
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000), ref: 007869F5
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00786A10
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00786A1B
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00786A28
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 00786A2F
                                                                                                                                                                            • SysAllocString.OLEAUT32(null), ref: 0078E99D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Variant$ClearHeap$AllocProcess$ArrayChangeElementFreeHandleSafeStringType
                                                                                                                                                                            • String ID: null
                                                                                                                                                                            • API String ID: 253374567-634125391
                                                                                                                                                                            • Opcode ID: c3ba99ad73b6f0bfd23ecc252581606dd5a82c8ece4e0e70c03ee45b6fc470fb
                                                                                                                                                                            • Instruction ID: 4a14b838d41b4da0f714b9add835ed34423f181f1e104c8751f82df3b9942b10
                                                                                                                                                                            • Opcode Fuzzy Hash: c3ba99ad73b6f0bfd23ecc252581606dd5a82c8ece4e0e70c03ee45b6fc470fb
                                                                                                                                                                            • Instruction Fuzzy Hash: C651CF72544316ABC314EF64C848A2BB7B8BF84710F14891EF946E7250EB39ED058BD3
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetPrivateProfileIntW.KERNEL32(Options,?,?,?), ref: 0079759B
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,0079755A,DisplayLogo), ref: 007975B1
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,0079755A,DisplayLogo,?,00000001,?,?,007925DB,00000000,?,00000000), ref: 007975BD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharErrorLastMultiPrivateProfileWide
                                                                                                                                                                            • String ID: Options
                                                                                                                                                                            • API String ID: 1820523601-529056539
                                                                                                                                                                            • Opcode ID: dba0f95cffebf851298b51dd791db4ab252c7c2074432435721c565e8680bf23
                                                                                                                                                                            • Instruction ID: dcb9838ee32c38fd6e9872c5a5e95ba0adbab0c8957dea30f5e946a6df6a8e97
                                                                                                                                                                            • Opcode Fuzzy Hash: dba0f95cffebf851298b51dd791db4ab252c7c2074432435721c565e8680bf23
                                                                                                                                                                            • Instruction Fuzzy Hash: D131D671116225BB9F281B6A9C0DEBB7FACDF067B07114219B825D22D0EA68CD00C6F5
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,?), ref: 0078BAA7
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0078BAAE
                                                                                                                                                                            • GetConsoleMode.KERNEL32(?,?,?,00000001,?,00000001), ref: 0078BBA5
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000001,?,00000001), ref: 0078BBC1
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0078BBFA
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0078BC21
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 0078BC5E
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0078BC65
                                                                                                                                                                            • WriteConsoleW.KERNEL32(?,?,00003FFF,?,00000000,?,00000001,?,00000001), ref: 0078BCA1
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0078E4D1
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0078E521
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0078E533
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Heap$ErrorLast$ByteCharConsoleMultiProcessWideWrite$AllocFileFreeMode
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 702828211-0
                                                                                                                                                                            • Opcode ID: e2a2e8a105be3bfeb968c978a19eb12152656e7254ccba80e30fd0acdf0bd5f0
                                                                                                                                                                            • Instruction ID: 8e6bd7ad8281bd7b0df3d5cc51ad16b9f557ae2f4b5cc71190be681625dd4954
                                                                                                                                                                            • Opcode Fuzzy Hash: e2a2e8a105be3bfeb968c978a19eb12152656e7254ccba80e30fd0acdf0bd5f0
                                                                                                                                                                            • Instruction Fuzzy Hash: 70B1BD74A803199BDB34AF54CC8CBAA77B4BF14700F1041AAE919E7251EF789D80CFA5
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 007984A1
                                                                                                                                                                            • SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,00000000,?,00000000), ref: 007984D4
                                                                                                                                                                            • FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,?,00000000), ref: 00798512
                                                                                                                                                                            • GetUserDefaultUILanguage.KERNEL32(?,00000000), ref: 0079853C
                                                                                                                                                                            • GetSystemDefaultUILanguage.KERNEL32(?,00000000,?,00000000,?,?,?,00000000), ref: 00798607
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DefaultLanguage$FindLibraryLoadPathResourceSearchSystemUser
                                                                                                                                                                            • String ID: %s\%s$MUI
                                                                                                                                                                            • API String ID: 1597595625-2651373239
                                                                                                                                                                            • Opcode ID: 0856d30a7f1270f2b80ba07f387274d18ba3bd14cbf5dc6f64899476139c9c31
                                                                                                                                                                            • Instruction ID: 626856fbecc36342426d59be63821d98104bdae4091c3dd541532bccfff22257
                                                                                                                                                                            • Opcode Fuzzy Hash: 0856d30a7f1270f2b80ba07f387274d18ba3bd14cbf5dc6f64899476139c9c31
                                                                                                                                                                            • Instruction Fuzzy Hash: 95B1B871A4026D9BCF719F74DC48FEA7379AB85300F0484F9E905A7251EE388E858F66
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                                                            • Opcode ID: 436c6ecee47971043591983d0fc1189a2a7ea0739b8d9ca316f3398431f1375e
                                                                                                                                                                            • Instruction ID: e62b15b4a741618b760124b1f5a6954df686812b666dd654e1763bc176b18352
                                                                                                                                                                            • Opcode Fuzzy Hash: 436c6ecee47971043591983d0fc1189a2a7ea0739b8d9ca316f3398431f1375e
                                                                                                                                                                            • Instruction Fuzzy Hash: 8B51F8BAA04656BFCF10DF98C89197EF7B9BB48200B508569E469D7641E334EE418BE0
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                                            • API String ID: 48624451-2108815105
                                                                                                                                                                            • Opcode ID: ae88dc41ea9ba9b6ad31d26b235090b6aa35e1b8e2683e584bc05eecd986d5bf
                                                                                                                                                                            • Instruction ID: cb7c6db9a737bcdd8cf28cf4021f51b04ff62094147a7e7509b73aff06e2334a
                                                                                                                                                                            • Opcode Fuzzy Hash: ae88dc41ea9ba9b6ad31d26b235090b6aa35e1b8e2683e584bc05eecd986d5bf
                                                                                                                                                                            • Instruction Fuzzy Hash: 69511C7AA04645AECB30DF6CC8919BFB7FAFF48200F54885AE595CB641E674EA00C760
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(00000001,Enabled,00000000,?,?,?,00000000,00000001,Enabled), ref: 00787945
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Enabled,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,Enabled), ref: 0078FD6B
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0078FD7B
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Enabled,000000FF,?,?,00000000,00000000), ref: 0078FD9A
                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(00000001,00000000,00000000,?,?,?,00000000,00000001,Enabled), ref: 0078FDDE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiQueryValueWide$__alloca_probe_16
                                                                                                                                                                            • String ID: Enabled$false
                                                                                                                                                                            • API String ID: 1757841119-109718029
                                                                                                                                                                            • Opcode ID: 2e889771caa9216d7c8e7e205c52aeb2c0bb3b2079ab78521a2e952c8b08e8fb
                                                                                                                                                                            • Instruction ID: 6dc7d5ef9d897e0e81b1d24baa34efe4312342f3fe0dea10b32e28f655f0105a
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e889771caa9216d7c8e7e205c52aeb2c0bb3b2079ab78521a2e952c8b08e8fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 72511D71684118EAEB34AB28CC45FAA73789B05310F3043A5E616E71C0DF38ED84CB65
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000000,0000002E,00000000,00020019,?), ref: 0079292F
                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,00783EFE,00000000,00000000,?,00000104), ref: 00792964
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00792972
                                                                                                                                                                            • RegEnumKeyExA.ADVAPI32(80000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 007929D2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseEnumOpenQueryValue
                                                                                                                                                                            • String ID: .$Open$Open2$WSFFile$WSHFile
                                                                                                                                                                            • API String ID: 3984146545-2336295846
                                                                                                                                                                            • Opcode ID: 3b93d6619aab008678e71db48e97a667f45c96022e29bb4cf10b1d88baa5ad7d
                                                                                                                                                                            • Instruction ID: 730c5e5343b44748439e2625ef9bab80bee69d25ac58b8d272f96c1d1d38ea58
                                                                                                                                                                            • Opcode Fuzzy Hash: 3b93d6619aab008678e71db48e97a667f45c96022e29bb4cf10b1d88baa5ad7d
                                                                                                                                                                            • Instruction Fuzzy Hash: 4431BCB178011DBBEF30B765DC49FFB72ACEB10710F2041A5E945E6142E6BC9D828B61
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0078A6F5: LoadStringW.USER32(?,?,00000800,00000C89), ref: 0078A737
                                                                                                                                                                              • Part of subcall function 0078A6F5: SysAllocString.OLEAUT32(?), ref: 0078A74A
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5,?,?), ref: 0078B978
                                                                                                                                                                              • Part of subcall function 0078B9F0: GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,?), ref: 0078BAA7
                                                                                                                                                                              • Part of subcall function 0078B9F0: HeapAlloc.KERNEL32(00000000), ref: 0078BAAE
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 0078B98A
                                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0078B991
                                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0078B998
                                                                                                                                                                              • Part of subcall function 0078BCDF: FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,00000000,?,00000000,0078B95E,?), ref: 0078BD1E
                                                                                                                                                                              • Part of subcall function 0078BCDF: SysAllocString.OLEAUT32(?), ref: 0078BD2F
                                                                                                                                                                              • Part of subcall function 0078BCDF: LocalFree.KERNEL32(00000000,?,00000000,0078B95E,?), ref: 0078BD51
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: String$Free$Alloc$Heap$FormatHandleLoadLocalMessageProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1815185728-0
                                                                                                                                                                            • Opcode ID: 8ad545610763e46d6f9d8571554ea8a5e2fc876f00d8f22f6f00b84e9b87d288
                                                                                                                                                                            • Instruction ID: e027a04be6472d38e1f8cb85ee0dcd3dabba4b607be032583880d14e25cea2e9
                                                                                                                                                                            • Opcode Fuzzy Hash: 8ad545610763e46d6f9d8571554ea8a5e2fc876f00d8f22f6f00b84e9b87d288
                                                                                                                                                                            • Instruction Fuzzy Hash: 8A316471A4010AFFCF10EFA5CC898AEBBB9FF45354B148066F515A3250DB38AE41DBA1
                                                                                                                                                                            Strings
                                                                                                                                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 055646FC
                                                                                                                                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05564742
                                                                                                                                                                            • Execute=1, xrefs: 05564713
                                                                                                                                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05564655
                                                                                                                                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 05564787
                                                                                                                                                                            • ExecuteOptions, xrefs: 055646A0
                                                                                                                                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05564725
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                            • API String ID: 0-484625025
                                                                                                                                                                            • Opcode ID: c251b5ad93fd922c11918d1a595918f65ecd50d965fbd22434ff9afed34bdd8b
                                                                                                                                                                            • Instruction ID: af8ddfb56a8396a6d6c432e3bcd3b4b51b38b10ad81207c4f0b66b3c417c6ad0
                                                                                                                                                                            • Opcode Fuzzy Hash: c251b5ad93fd922c11918d1a595918f65ecd50d965fbd22434ff9afed34bdd8b
                                                                                                                                                                            • Instruction Fuzzy Hash: BA51073171022ABADF10EAA4DC9EFAE77B9FF49300F140499E506AB1D0DB70AA45CB51
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcAddress.KERNEL32(?,WinVerifyTrust), ref: 00794930
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0079493C
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00794990
                                                                                                                                                                            • FreeLibrary.KERNEL32(?,00000000,?,00000000), ref: 007949AE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$AddressFreeLibraryProc
                                                                                                                                                                            • String ID: ($4$WinVerifyTrust$wintrust.dll
                                                                                                                                                                            • API String ID: 1171437518-2532474036
                                                                                                                                                                            • Opcode ID: f600eb89ae6d55835765daa4397bd59a29a0471461641b41cf7230016107c91b
                                                                                                                                                                            • Instruction ID: 30c3f67c4b1550f821b61b5216770c2d2c6bad535730f85d9a71ad6d5466f3fc
                                                                                                                                                                            • Opcode Fuzzy Hash: f600eb89ae6d55835765daa4397bd59a29a0471461641b41cf7230016107c91b
                                                                                                                                                                            • Instruction Fuzzy Hash: 89411CB2D017299BCF20CF99D884A9EBBB4BF44720F11422ED955BB340D778AD068B91
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(WLDP.DLL,00000000,00000800,?,00000000,?,00787DA1,?,?,?,?,?,?,?), ref: 0078B1E9
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,WldpGetLockdownPolicy), ref: 0078B1FF
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,WldpIsClassInApprovedList), ref: 0078B216
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?), ref: 0078B2B6
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?), ref: 0079124B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressLibraryProc$ErrorFreeLastLoad
                                                                                                                                                                            • String ID: WLDP.DLL$WldpGetLockdownPolicy$WldpIsClassInApprovedList
                                                                                                                                                                            • API String ID: 1004692917-3104440107
                                                                                                                                                                            • Opcode ID: 8ebfdae9ab44b0bd13791209d13f1aabcd9b13fee90e176bbff19dfd30adbd16
                                                                                                                                                                            • Instruction ID: c96777376fa6486575d59fb6e738a82beb3cd5ae2d5f96c6cdd597b6b19dd8a1
                                                                                                                                                                            • Opcode Fuzzy Hash: 8ebfdae9ab44b0bd13791209d13f1aabcd9b13fee90e176bbff19dfd30adbd16
                                                                                                                                                                            • Instruction Fuzzy Hash: 5121B671940316ABCB11AF58C885BAEBBB4BB44710F148126ED19F7340DB3CD9418BD5
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0078C93B: memcmp.MSVCRT(?,00783B28,00000010,0078D6FD,00000000,00000000,?,00788DE1,00000000,00000000,?,00000000,00000000,00000030,?,0078887E), ref: 0078C93F
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00793469
                                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0079349B
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 007934A9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeString$ClearVariantmemcmp
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1922676145-0
                                                                                                                                                                            • Opcode ID: 62cdff7ee86b7ce1b367d7af45026c33818420fb078b7161341abd6c4cb187cf
                                                                                                                                                                            • Instruction ID: f1aeb45f0f22b4b6a8bcd3417ad950461b7dbb95142522a96d332ccea6c588c5
                                                                                                                                                                            • Opcode Fuzzy Hash: 62cdff7ee86b7ce1b367d7af45026c33818420fb078b7161341abd6c4cb187cf
                                                                                                                                                                            • Instruction Fuzzy Hash: 2EC1C775E01119EFCF14DF98E885AAEBBB1FF48310F15816AE905A7350D7399E42CB90
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(0078ECAE,00000104,?,?,?,?,?,?,?,?), ref: 00788188
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 007904DC
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0078ECAE,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00790503
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 0079050F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharErrorFullLastMultiNamePathWide__alloca_probe_16
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 187176378-0
                                                                                                                                                                            • Opcode ID: df8db693737367c3aebdeaaa84b31ae459fbb72887fa68b456e2b38037908561
                                                                                                                                                                            • Instruction ID: 415250de3cfa4ec2ac962506b035723cce5a3ddf282b9f87bd961e75b3f2d720
                                                                                                                                                                            • Opcode Fuzzy Hash: df8db693737367c3aebdeaaa84b31ae459fbb72887fa68b456e2b38037908561
                                                                                                                                                                            • Instruction Fuzzy Hash: D931D431641169BF9B205F6A9C4CEAB7F6CEF86360F108119BA15A6290DA38DD02C7F5
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,00000000,?,00000000,0078F129,00000000,?,?,?,80000001,80000001,?,00792623), ref: 007974BE
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,?,?,?,80000001,80000001,?,00792623,00020006), ref: 007974E0
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00792623,00020006,?,?,?,?,0078F129), ref: 007974EC
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 007974F6
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000,?,00792623,00020006,?,?,?,?,0078F129), ref: 0079750D
                                                                                                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,?,00000000,0078F129,00000000,?,00000000,00000000,00000000,?,00792623,00020006), ref: 00797526
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharCreateMultiWide$ErrorLast__alloca_probe_16
                                                                                                                                                                            • String ID: Software\Microsoft\Windows Script Host\Settings
                                                                                                                                                                            • API String ID: 3071801306-2126348837
                                                                                                                                                                            • Opcode ID: 4d38c38dc49ae033c26a178686ea6327e68a44e86feffbb7b3520ec441dae2a0
                                                                                                                                                                            • Instruction ID: 0bcb452fb6522df8e1254c4ec812b8e5d88f2942360b5b411ae3f172e94ca81a
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d38c38dc49ae033c26a178686ea6327e68a44e86feffbb7b3520ec441dae2a0
                                                                                                                                                                            • Instruction Fuzzy Hash: 0011D030256124BB8F206B6BAC4DDEB3FACEF067B1B108126B509D11A1DA3CC901D7F5
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegSetValueExW.ADVAPI32(?,Timeout,00000000,00000004,?,00000004,?,?,?,0078F129), ref: 0079787B
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Timeout,000000FF,00000000,00000000,00000000,00000000,?,?,?,0078F129), ref: 00797892
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 0079789F
                                                                                                                                                                            • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,00000004,?,?,?,0078F129), ref: 007978D1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Value$ByteCharErrorLastMultiWide
                                                                                                                                                                            • String ID: Timeout
                                                                                                                                                                            • API String ID: 1054387349-1325157390
                                                                                                                                                                            • Opcode ID: f15efb09551a38a9195e5884aa7ee4df7945dd14e3f2ae3710a1e87bfea3db06
                                                                                                                                                                            • Instruction ID: 7fbd1e10dad2c6eab644f0b07ae5b70b0a9140ad306d789b65018726d759808d
                                                                                                                                                                            • Opcode Fuzzy Hash: f15efb09551a38a9195e5884aa7ee4df7945dd14e3f2ae3710a1e87bfea3db06
                                                                                                                                                                            • Instruction Fuzzy Hash: 9C110670605214BBDB249B669C4DFEB7F7CDF857A0F104119B215D61D0EA788901C7F5
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: String$AllocFree$freemalloc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 945414394-0
                                                                                                                                                                            • Opcode ID: 5156a9fabb3774369cd1fcdb3c0f0188430dff57a8f6e05fab17e1c15630318c
                                                                                                                                                                            • Instruction ID: e2a22372e0496eecb29f3232711f797a220b4d6af01ba28f2037934907d585b5
                                                                                                                                                                            • Opcode Fuzzy Hash: 5156a9fabb3774369cd1fcdb3c0f0188430dff57a8f6e05fab17e1c15630318c
                                                                                                                                                                            • Instruction Fuzzy Hash: F4118C3510070AAFCB215F25EC08A577BB5FF40760F10C929F815C22A0DB79D851DBA1
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: String$AllocFree$freemalloc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 945414394-0
                                                                                                                                                                            • Opcode ID: 35cadaf032fda3ab416449c39758a056bdd30050b61be79c23b7b8c0f74e5d96
                                                                                                                                                                            • Instruction ID: 5a8d59aca9caa08d5cdf04bd9f9043528b02da9aab7caec79ed800aae9116003
                                                                                                                                                                            • Opcode Fuzzy Hash: 35cadaf032fda3ab416449c39758a056bdd30050b61be79c23b7b8c0f74e5d96
                                                                                                                                                                            • Instruction Fuzzy Hash: 9D11703130071AAFCF215F25FC08A5A7BB5EF40760F10C629F969C66A0DB39D851DB91
                                                                                                                                                                            APIs
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00794F81
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00794F8A
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00794F93
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00794F9C
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00794FA5
                                                                                                                                                                            Strings
                                                                                                                                                                            • WScript_OnScriptTerminate, xrefs: 00794EE1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeString
                                                                                                                                                                            • String ID: WScript_OnScriptTerminate
                                                                                                                                                                            • API String ID: 3341692771-526745235
                                                                                                                                                                            • Opcode ID: 88596999fb89c164f44e011fc6811f892ccc764fed323242b65e792d2644760f
                                                                                                                                                                            • Instruction ID: 3b27cecd789cc2cdb17085dad708b3ec2aafe5435f49e7ffdffe6760d6efef99
                                                                                                                                                                            • Opcode Fuzzy Hash: 88596999fb89c164f44e011fc6811f892ccc764fed323242b65e792d2644760f
                                                                                                                                                                            • Instruction Fuzzy Hash: 02815071A00206EFCF14DF94E895A6E7BB6FF48314F144169E612A73A0DB38AD42CB95
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000000), ref: 0078B120
                                                                                                                                                                            • GetSystemDirectoryA.KERNEL32(00000000,00000001), ref: 0078B158
                                                                                                                                                                            • strcpy_s.MSVCRT ref: 0078B172
                                                                                                                                                                            • strcpy_s.MSVCRT ref: 0078B183
                                                                                                                                                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000800), ref: 0078B194
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00791212
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DirectorySystemstrcpy_s$ErrorLastLibraryLoad
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3723718217-0
                                                                                                                                                                            • Opcode ID: d5260446bb347e6a469ab26d2a7f5a48563d6f2dd3c0e1e808371e7277681009
                                                                                                                                                                            • Instruction ID: 3384c2bd8379119bab883b374a7d1ede0b7641b73b9972a526cd020a38223c35
                                                                                                                                                                            • Opcode Fuzzy Hash: d5260446bb347e6a469ab26d2a7f5a48563d6f2dd3c0e1e808371e7277681009
                                                                                                                                                                            • Instruction Fuzzy Hash: 46212D72E4021AABD711AFA89C88B6B77FCBF44700F144066F905DB100EB3DD90587D5
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNEL32(0078B2EA,80000000,00000001,00000000,00000003,08000000,00000000,?,00000000,?,000000FF,000000FF,?,0078B2EA,?), ref: 0078B547
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0078B2EA,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,000000FF,000000FF,?,0078B2EA,?), ref: 007913BA
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 007913C6
                                                                                                                                                                            • GetLastError.KERNEL32(?,0078B2EA,?,?,?,?,00000000,00000000), ref: 007913DB
                                                                                                                                                                              • Part of subcall function 0078B580: GetFileSize.KERNEL32(0078B2EA,00000000,00000000,?,0078B55F,00000000,?,?,0078B2EA,?,?,?,?,00000000,00000000), ref: 0078B595
                                                                                                                                                                              • Part of subcall function 0078B580: CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0078B5B6
                                                                                                                                                                              • Part of subcall function 0078B580: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,0078B55F,00000000,?,?,0078B2EA,?,?,?,?,00000000), ref: 0078B5D0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Create$ByteCharErrorLastMappingMultiSizeViewWide__alloca_probe_16
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3211943082-0
                                                                                                                                                                            • Opcode ID: 14af4d23fe82f63e01d37a1dae3afa0a9cafa2a6acb508bae327a68fc4cf612e
                                                                                                                                                                            • Instruction ID: 76e5039da2c3727fab1793c01d0e0f3159bf59013b8885246ae25a2393f1b8eb
                                                                                                                                                                            • Opcode Fuzzy Hash: 14af4d23fe82f63e01d37a1dae3afa0a9cafa2a6acb508bae327a68fc4cf612e
                                                                                                                                                                            • Instruction Fuzzy Hash: D4212730241219BBDB306B2A9C4DFAB3E7CDF063A0F204219B515E51E1D7688D11C7F4
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?,?,?,?,80000000,80000000,?,00787F9E,?,?,?,?), ref: 00788134
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,80000000,80000000,?,00787F9E,?), ref: 00790495
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 007904A2
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,00787F9E,?,?,?,?,?), ref: 007904B6
                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,00020019,?,?,?,?,80000000,80000000,?,00787F9E,?,?,?,?), ref: 007904D1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiOpenWide$__alloca_probe_16
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2527192001-0
                                                                                                                                                                            • Opcode ID: 1be3be15f0e13cd028be4779475b08aa7521a86f92070405fa86cf147808eaaf
                                                                                                                                                                            • Instruction ID: bb5c19212ed52412c77d8b7c17e42a10839d6e6b913c01356a514fe3d2585839
                                                                                                                                                                            • Opcode Fuzzy Hash: 1be3be15f0e13cd028be4779475b08aa7521a86f92070405fa86cf147808eaaf
                                                                                                                                                                            • Instruction Fuzzy Hash: C511E9B0A11259BEEF205B755C08EBB7BACDF45760F10851ABA15D61A0EE3CCC0197F1
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                                                            • String ID: +$-$0$0
                                                                                                                                                                            • API String ID: 1302938615-699404926
                                                                                                                                                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                            • Instruction ID: c14eaaf389b45e3a2f0b87a172dc7f1471e00ba1dcf17d960d0754ef510a84c5
                                                                                                                                                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                                                                                            • Instruction Fuzzy Hash: 8E81A470E092499EDF24CE68C8537FEBBB2FF45330F18465AD89AA7291C7349941C750
                                                                                                                                                                            APIs
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00787E00
                                                                                                                                                                              • Part of subcall function 00788156: GetFullPathNameW.KERNEL32(0078ECAE,00000104,?,?,?,?,?,?,?,?), ref: 00788188
                                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 00787D2B
                                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 00787D45
                                                                                                                                                                              • Part of subcall function 0078B1D0: LoadLibraryExW.KERNEL32(WLDP.DLL,00000000,00000800,?,00000000,?,00787DA1,?,?,?,?,?,?,?), ref: 0078B1E9
                                                                                                                                                                              • Part of subcall function 0078B1D0: GetProcAddress.KERNEL32(00000000,WldpGetLockdownPolicy), ref: 0078B1FF
                                                                                                                                                                              • Part of subcall function 0078B1D0: GetProcAddress.KERNEL32(00000000,WldpIsClassInApprovedList), ref: 0078B216
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00787DA4
                                                                                                                                                                              • Part of subcall function 0078AE90: GetProcAddress.KERNEL32(00000000,SaferIdentifyLevel), ref: 0078AF21
                                                                                                                                                                              • Part of subcall function 0078AE90: GetProcAddress.KERNEL32(00000000,SaferComputeTokenFromLevel), ref: 0078AF3B
                                                                                                                                                                              • Part of subcall function 0078AE90: GetProcAddress.KERNEL32(00000000,SaferCloseLevel), ref: 0078AF55
                                                                                                                                                                              • Part of subcall function 0078AE90: memset.MSVCRT ref: 0078AF7D
                                                                                                                                                                              • Part of subcall function 0078AE90: memset.MSVCRT ref: 0078AFB9
                                                                                                                                                                              • Part of subcall function 007862F0: SendMessageA.USER32(?,00000402,00000000,00000000), ref: 007863D6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$String$Allocmemset$CloseFreeFullHandleLibraryLoadMessageNamePathSend
                                                                                                                                                                            • String ID: .wsf
                                                                                                                                                                            • API String ID: 2713354114-2429851548
                                                                                                                                                                            • Opcode ID: 651f5afcbd5842319cfe84f45588d04f25a816169dcb83ab3e7815a78366f56e
                                                                                                                                                                            • Instruction ID: 1377db22e0d47f84a5b5c062a2a2882fa801d2fa13d4e822b77cffdb312144a3
                                                                                                                                                                            • Opcode Fuzzy Hash: 651f5afcbd5842319cfe84f45588d04f25a816169dcb83ab3e7815a78366f56e
                                                                                                                                                                            • Instruction Fuzzy Hash: DC71E775B802299FCF24AF68DC9C6AE77B5BF44310F2501A9E906A7351CA3CDD418BE1
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: %%%u$[$]:%u
                                                                                                                                                                            • API String ID: 48624451-2819853543
                                                                                                                                                                            • Opcode ID: 836783d8b98d3f2a13aedab92d3a798122e950f56baf6905c4d2f4a60d1aa2fa
                                                                                                                                                                            • Instruction ID: 9447487a3448dad311c977461e5b1e35b574300e66cb38813fe42652d8380de5
                                                                                                                                                                            • Opcode Fuzzy Hash: 836783d8b98d3f2a13aedab92d3a798122e950f56baf6905c4d2f4a60d1aa2fa
                                                                                                                                                                            • Instruction Fuzzy Hash: F121517BA00219ABCB10DE69D845AFEBBE9BF44644F440126E945E3240EB30A9018BA1
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(kernel32.dll,00000000,00000800,-00000001,?,-00000004,?,?,00787147,00000000,00000001), ref: 0078A8FA
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 0078A90C
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00787147,00000000,00000001), ref: 0078A939
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                            • String ID: HeapSetInformation$kernel32.dll
                                                                                                                                                                            • API String ID: 145871493-3597996958
                                                                                                                                                                            • Opcode ID: 69a01d8737b950e0afca5db4445f95b54ba3d053b2ab3992b7a5b2570aa0f126
                                                                                                                                                                            • Instruction ID: 851ec1ef186488c6d50e0c802612d9bd5e8c59fc7d8038a349d94c767e18ff57
                                                                                                                                                                            • Opcode Fuzzy Hash: 69a01d8737b950e0afca5db4445f95b54ba3d053b2ab3992b7a5b2570aa0f126
                                                                                                                                                                            • Instruction Fuzzy Hash: D1F0C87178924177E320277A5C89E2B3A7DE7C5B51F264437F602D2140E96CDC0293A6
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 007880BD
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 007903EF
                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 00790407
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 0079043D
                                                                                                                                                                            • GetLastError.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 0079044B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: QueryValue$ByteCharErrorLastMultiWide__alloca_probe_16
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3112009249-0
                                                                                                                                                                            • Opcode ID: 34e5867d35ed01c566766f5ce4d8d3389e54414936d591783e04ed1c66b478ec
                                                                                                                                                                            • Instruction ID: 14b639342f3ca281a680364f20748bd0eabd814db853bd03462f842925926c2e
                                                                                                                                                                            • Opcode Fuzzy Hash: 34e5867d35ed01c566766f5ce4d8d3389e54414936d591783e04ed1c66b478ec
                                                                                                                                                                            • Instruction Fuzzy Hash: 1331E831A40118BBDF20AB58DC85BAE7BB8EB45310F50C15AFA11EB190DA38ED45C796
                                                                                                                                                                            APIs
                                                                                                                                                                            • EnterCriticalSection.KERNEL32(00799498), ref: 0078C155
                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00799498), ref: 0078C192
                                                                                                                                                                            • LoadRegTypeLib.OLEAUT32(?,?,00000000,?,?), ref: 00791651
                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00799498), ref: 00791662
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CriticalSection$Leave$EnterLoadType
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2204791303-0
                                                                                                                                                                            • Opcode ID: 6d7e896bcbae25664f5d68c5e217ed2f385b938bfa79915b4ceb8678ce5f471f
                                                                                                                                                                            • Instruction ID: 261e95c191c2c030e903479e2efb29ce2adcc714e8bd7771bde0e4e6daedb758
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d7e896bcbae25664f5d68c5e217ed2f385b938bfa79915b4ceb8678ce5f471f
                                                                                                                                                                            • Instruction Fuzzy Hash: DF21B474740309EFDB119F58EC88A6977B5FB88310F244059F50697361DB79AC03DBA2
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 0556031E
                                                                                                                                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 055602E7
                                                                                                                                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 055602BD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                            • API String ID: 0-2474120054
                                                                                                                                                                            • Opcode ID: 33e4d27c26db43560d966c7e169f5e522b116944ebab4ef32820114e5e9919ef
                                                                                                                                                                            • Instruction ID: 57cdf0d7b0f8ec1ca68d0931b3751420cb30c0b5528d31fb1c7ddbcc172b1610
                                                                                                                                                                            • Opcode Fuzzy Hash: 33e4d27c26db43560d966c7e169f5e522b116944ebab4ef32820114e5e9919ef
                                                                                                                                                                            • Instruction Fuzzy Hash: E9E1C270608741DFE725CF28C889B2ABBE1BF84314F140A5DF8968B2E1D774E945CB96
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: wcscpy_s
                                                                                                                                                                            • String ID: WSH
                                                                                                                                                                            • API String ID: 4009619764-2133009938
                                                                                                                                                                            • Opcode ID: a88775f692d835a1eb1e50910c44c650076c1c526f89dda3ef8442bcc18c44e7
                                                                                                                                                                            • Instruction ID: 33a054f00486474114844eb94eb1ae1823c1759ad0970a61f02fcb02d78234b8
                                                                                                                                                                            • Opcode Fuzzy Hash: a88775f692d835a1eb1e50910c44c650076c1c526f89dda3ef8442bcc18c44e7
                                                                                                                                                                            • Instruction Fuzzy Hash: 45516FB16802199BDB28FB14CC89BBA7365FF44314F24405AE90797391EB3DED42C7A5
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 05567BAC
                                                                                                                                                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05567B7F
                                                                                                                                                                            • RTL: Resource at %p, xrefs: 05567B8E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                            • API String ID: 0-871070163
                                                                                                                                                                            • Opcode ID: eef03dba7248d84fabb94e4cbe32bb9c841b44dd42ec2dda6bf8cdc32a2a0e74
                                                                                                                                                                            • Instruction ID: 1f1010981ce406918089f6d4c196e8a9b87984ff016ee8c3555dc5ec9711f367
                                                                                                                                                                            • Opcode Fuzzy Hash: eef03dba7248d84fabb94e4cbe32bb9c841b44dd42ec2dda6bf8cdc32a2a0e74
                                                                                                                                                                            • Instruction Fuzzy Hash: BC41E0353087429FC724DE25CC40B6AB7E6FF89720F100A1DE85ADB690EB71E805CB91
                                                                                                                                                                            APIs
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0556728C
                                                                                                                                                                            Strings
                                                                                                                                                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05567294
                                                                                                                                                                            • RTL: Re-Waiting, xrefs: 055672C1
                                                                                                                                                                            • RTL: Resource at %p, xrefs: 055672A3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                                            • API String ID: 885266447-605551621
                                                                                                                                                                            • Opcode ID: 3642a6566dd98942bc7746c73860acd52956b7f12e46e8a7bea38cf805b1d390
                                                                                                                                                                            • Instruction ID: 144640723c2fb0a5ea0720d1b4223318a1eecd5d627d4d4ef6649674a0f66a63
                                                                                                                                                                            • Opcode Fuzzy Hash: 3642a6566dd98942bc7746c73860acd52956b7f12e46e8a7bea38cf805b1d390
                                                                                                                                                                            • Instruction Fuzzy Hash: D041E031704256ABD721DE65CC85F6AB7A6FF89724F100A19F855EB280DB31F842CBD1
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ___swprintf_l
                                                                                                                                                                            • String ID: %%%u$]:%u
                                                                                                                                                                            • API String ID: 48624451-3050659472
                                                                                                                                                                            • Opcode ID: d353b4dff5b110221cf54dde5d0a7adf393e132baf3c3f57470a8c9e219ef140
                                                                                                                                                                            • Instruction ID: fd085fd83983a46977481db81738822dc6fecb5507f044ec3bde3dcd63eea2f1
                                                                                                                                                                            • Opcode Fuzzy Hash: d353b4dff5b110221cf54dde5d0a7adf393e132baf3c3f57470a8c9e219ef140
                                                                                                                                                                            • Instruction Fuzzy Hash: FC316477A002299FCB20DE29DC45BEEB7F8FF45610F544556E849E7240EB30AA449FA0
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0078DBC0: malloc.MSVCRT ref: 0078DBD8
                                                                                                                                                                            • SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 0078A1C1
                                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 0078A1FE
                                                                                                                                                                            • SafeArrayPutElement.OLEAUT32(2C6A5756,?,?), ref: 0078A21D
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0078A22A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ArraySafe$AllocClearCreateElementStringVariantmalloc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 90143694-0
                                                                                                                                                                            • Opcode ID: 909ec39b2837a666fd180df28a6718e48b26eb885e3b11d388bb4dcd7c4dc4ab
                                                                                                                                                                            • Instruction ID: 4033c89c96d992eb5da2c5568c33ef15d17c0888e4842eb8a5cf7c37860f357e
                                                                                                                                                                            • Opcode Fuzzy Hash: 909ec39b2837a666fd180df28a6718e48b26eb885e3b11d388bb4dcd7c4dc4ab
                                                                                                                                                                            • Instruction Fuzzy Hash: 1541A471E4020AEFDB10DFA9D884AAEB7B5FF84310F10806AD515E7250DB79DD41CB95
                                                                                                                                                                            APIs
                                                                                                                                                                            • SafeArrayDestroy.OLEAUT32(?), ref: 0078A43E
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 0078A47F
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 0078A488
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 0078A491
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4501615680.0000000000780000.00000040.80000000.00040000.00000000.sdmp, Offset: 00780000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_780000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeString$ArrayDestroySafe
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4164600000-0
                                                                                                                                                                            • Opcode ID: c4b36b2f60cdb2214bec89060a5dcf74c2f6b00f7f9140cbdea99cc9501680c4
                                                                                                                                                                            • Instruction ID: df112f23b6e779a7010e67782aef8aa09abd0b01b4e76b431f4dd4f3dbfcd849
                                                                                                                                                                            • Opcode Fuzzy Hash: c4b36b2f60cdb2214bec89060a5dcf74c2f6b00f7f9140cbdea99cc9501680c4
                                                                                                                                                                            • Instruction Fuzzy Hash: D521D270241648EFDB20BF29D94C91AB7F5FF44314B10892EE14A83621DB7DEC41CB86
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __aulldvrm
                                                                                                                                                                            • String ID: +$-
                                                                                                                                                                            • API String ID: 1302938615-2137968064
                                                                                                                                                                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                            • Instruction ID: 1f18021138389819388ad4ad21ca9643cb3e74cdfcececb9e906ef038b881be7
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                                                                                            • Instruction Fuzzy Hash: 709198B0F142169BDF24DF69C882ABEB7B6FF48720F14455AE86DE72C0D7309A419760
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000005.00000002.4502617990.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: true
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.00000000055ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            • Associated: 00000005.00000002.4502617990.000000000565E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_5_2_54c0000_cscript.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: $$@
                                                                                                                                                                            • API String ID: 0-1194432280
                                                                                                                                                                            • Opcode ID: 02b51fc14f12315792ce71de6ead87d7befe46511dcc9d891a5bf2040645ca88
                                                                                                                                                                            • Instruction ID: a73e793a89838853143f1b2f5f4508b6c3384e927b2cf6b49bf577f0d1c723b4
                                                                                                                                                                            • Opcode Fuzzy Hash: 02b51fc14f12315792ce71de6ead87d7befe46511dcc9d891a5bf2040645ca88
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B812975D002699BDB35CB54CD45BEAB7B5BB48710F0441EBEA0AB7280E7709E85CFA0