Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SWIFT.exe

Overview

General Information

Sample name:SWIFT.exe
Analysis ID:1431498
MD5:c3783358a70c67db7ba565a68872b2d6
SHA1:e0c97fdd090069d6fb47589643fad0d8365b537a
SHA256:2e546d749c2e13895babd1d2bca41978605c1ba3967ca0b21709646120704760
Tags:exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SWIFT.exe (PID: 1960 cmdline: "C:\Users\user\Desktop\SWIFT.exe" MD5: C3783358A70C67DB7BA565A68872B2D6)
    • MSBuild.exe (PID: 5064 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • MSBuild.exe (PID: 5796 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.quoctoan.vn", "Username": "long_xnk@quoctoan.vn", "Password": "bGMJNaGYNTLC"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.3245436957.00000000032A6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.2036561499.0000000005AF0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000003.00000002.3244352148.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.3244352148.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000003.00000002.3245436957.000000000329E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 10 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.SWIFT.exe.4309970.7.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.SWIFT.exe.5af0000.12.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.SWIFT.exe.5af0000.12.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.SWIFT.exe.4309970.7.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      0.2.SWIFT.exe.5098988.10.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                        Click to see the 14 entries

                        Sigma Signatures

                        Networking

                        barindex
                        Sigma detected: MSBuild connects to smtp port
                        Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 112.213.92.152, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 5796, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

                        Snort Signatures

                        Timestamp:04/25/24-10:38:01.777560
                        SID:2839723
                        Source Port:49704
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/25/24-10:38:01.777589
                        SID:2851779
                        Source Port:49704
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/25/24-10:38:01.777589
                        SID:2840032
                        Source Port:49704
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/25/24-10:38:01.777589
                        SID:2855542
                        Source Port:49704
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/25/24-10:38:01.777589
                        SID:2855245
                        Source Port:49704
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:04/25/24-10:38:01.777560
                        SID:2030171
                        Source Port:49704
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Found malware configuration
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.quoctoan.vn", "Username": "long_xnk@quoctoan.vn", "Password": "bGMJNaGYNTLC"}
                        Multi AV Scanner detection for submitted file
                        Source: SWIFT.exeReversingLabs: Detection: 52%
                        Source: SWIFT.exeVirustotal: Detection: 53%Perma Link
                        Machine Learning detection for sample
                        Source: SWIFT.exeJoe Sandbox ML: detected
                        Source: SWIFT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49710 version: TLS 1.0
                        Source: SWIFT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: qfffT.pdb source: SWIFT.exe
                        Source: Binary string: qfffT.pdbSHA256 source: SWIFT.exe

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49704 -> 112.213.92.152:587
                        Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49704 -> 112.213.92.152:587
                        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49704 -> 112.213.92.152:587
                        Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49704 -> 112.213.92.152:587
                        Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49704 -> 112.213.92.152:587
                        Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49704 -> 112.213.92.152:587
                        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 112.213.92.152:587
                        Source: Joe Sandbox ViewASN Name: SUPERDATA-AS-VNSUPERDATA-VN SUPERDATA-AS-VNSUPERDATA-VN
                        Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 112.213.92.152:587
                        Source: unknownHTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49710 version: TLS 1.0
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: mail.quoctoan.vn
                        Source: MSBuild.exe, 00000003.00000002.3245436957.00000000032A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.quoctoan.vn
                        Source: MSBuild.exe, 00000003.00000002.3245436957.00000000032A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail92152.maychuemail.com
                        Source: SWIFT.exe, 00000000.00000002.2034008651.000000000505D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3244352148.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpack, 7KG.cs.Net Code: _0MhZfg
                        Source: 0.2.SWIFT.exe.5098988.10.raw.unpack, 7KG.cs.Net Code: _0MhZfg

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 0.2.SWIFT.exe.5098988.10.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.SWIFT.exe.505df68.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.SWIFT.exe.5098988.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_0197D5BC0_2_0197D5BC
                        Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_058BD2F80_2_058BD2F8
                        Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_058BDCC80_2_058BDCC8
                        Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_058B6BE80_2_058B6BE8
                        Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_058B00060_2_058B0006
                        Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_058B00400_2_058B0040
                        Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_058BDCB70_2_058BDCB7
                        Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_058B6BD80_2_058B6BD8
                        Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_058BDA200_2_058BDA20
                        Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_058BDA300_2_058BDA30
                        Source: C:\Users\user\Desktop\SWIFT.exeCode function: 0_2_08A60C900_2_08A60C90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_030A93803_2_030A9380
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_030A9B303_2_030A9B30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_030A4A983_2_030A4A98
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_030ACE783_2_030ACE78
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_030A3E803_2_030A3E80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_030A41C83_2_030A41C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067C56C83_2_067C56C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067C3F403_2_067C3F40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067CBCE83_2_067CBCE8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067CDD003_2_067CDD00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067C05B83_2_067C05B8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067C2AE83_2_067C2AE8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067C9AC83_2_067C9AC8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067C8B703_2_067C8B70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067C4FE83_2_067C4FE8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 3_2_067C32403_2_067C3240
                        Source: SWIFT.exe, 00000000.00000002.2035633292.0000000005300000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SWIFT.exe
                        Source: SWIFT.exe, 00000000.00000002.2034008651.0000000004CF7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SWIFT.exe
                        Source: SWIFT.exe, 00000000.00000002.2034008651.000000000505D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed73c8e00-3a74-4257-91f6-3323ac15dd71.exe4 vs SWIFT.exe
                        Source: SWIFT.exe, 00000000.00000002.2033159770.0000000003450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed73c8e00-3a74-4257-91f6-3323ac15dd71.exe4 vs SWIFT.exe
                        Source: SWIFT.exe, 00000000.00000002.2032212634.000000000152E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SWIFT.exe
                        Source: SWIFT.exeBinary or memory string: OriginalFilenameqfffT.exen' vs SWIFT.exe
                        Source: SWIFT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 0.2.SWIFT.exe.5098988.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.SWIFT.exe.505df68.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.SWIFT.exe.5098988.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: SWIFT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpack, 1UT6pzc0M.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpack, DnQOD3M.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpack, 01seU.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpack, iUDwvr7Gz.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpack, XUu2qKyuF6.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpack, aZathEIgR.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.SWIFT.exe.505df68.9.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, fBIFARM1dNcGpWBBWF.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, fBIFARM1dNcGpWBBWF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, fBIFARM1dNcGpWBBWF.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, LTAbF3ZUBqJsYnuwhW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, fBIFARM1dNcGpWBBWF.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, fBIFARM1dNcGpWBBWF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, fBIFARM1dNcGpWBBWF.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, LTAbF3ZUBqJsYnuwhW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, fBIFARM1dNcGpWBBWF.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, fBIFARM1dNcGpWBBWF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, fBIFARM1dNcGpWBBWF.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, LTAbF3ZUBqJsYnuwhW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@5/1@2/1
                        Source: C:\Users\user\Desktop\SWIFT.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT.exe.logJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: NULL
                        Source: C:\Users\user\Desktop\SWIFT.exeMutant created: \Sessions\1\BaseNamedObjects\iHxXkwdIHBKIctgXRIdWSFXFQuT
                        Source: SWIFT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: SWIFT.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: SWIFT.exeReversingLabs: Detection: 52%
                        Source: SWIFT.exeVirustotal: Detection: 53%
                        Source: unknownProcess created: C:\Users\user\Desktop\SWIFT.exe "C:\Users\user\Desktop\SWIFT.exe"
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                        Source: SWIFT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: SWIFT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: SWIFT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: qfffT.pdb source: SWIFT.exe
                        Source: Binary string: qfffT.pdbSHA256 source: SWIFT.exe

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 0.2.SWIFT.exe.5af0000.12.raw.unpack, V4uC3Iifq56IKQcfry.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        .NET source code contains potential unpacker
                        Source: SWIFT.exe, Form1.cs.Net Code: InitializeComponent
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, fBIFARM1dNcGpWBBWF.cs.Net Code: pXkDf2woh5 System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, fBIFARM1dNcGpWBBWF.cs.Net Code: pXkDf2woh5 System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, fBIFARM1dNcGpWBBWF.cs.Net Code: pXkDf2woh5 System.Reflection.Assembly.Load(byte[])
                        Source: SWIFT.exeStatic PE information: 0xF3EC99AE [Sun Sep 6 09:15:26 2099 UTC]
                        Source: SWIFT.exeStatic PE information: section name: .text entropy: 7.9848971240460545
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, l3uKDiGEukCXQ10mb1.csHigh entropy of concatenated method names: 'K6dfnkDS5', 'ms6FqFT5r', 'yP5Pkef6Q', 'hDGArSZrf', 'MpXoojA50', 'SYBhjNu1r', 'I4t0mYQSfa1vTGMeQc', 'eqMsFv2kM25xF444NG', 'GaUI0CkIX', 'zyaWtYqru'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, DNjYqavbeRfGYMOMNx.csHigh entropy of concatenated method names: 'VgLHZOIS4c', 'iiNHoMM8SB', 'xZtHKTpDEM', 'wq9HeNkVXt', 'yYSHBxDPKH', 'OmDHtoAW1W', 'XiAH8mXFH9', 'wvTH0XGyYi', 'gh6HJZChsE', 'bvEH2FpNXx'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, il3qo0bBxWcPXwwvUq.csHigh entropy of concatenated method names: 'ToString', 'JchY2qlZhU', 'rNOYeBB7q9', 'QAyYXpaQbZ', 'FPKYBbEOFK', 'WwyYtMeGp2', 'klQYl4oqg5', 'guoY8wB94n', 'mLOY02t0DD', 'fXiY3SWYbG'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, yJ5mACQQOvtCvII9Xry.csHigh entropy of concatenated method names: 'ToString', 'kFwW9gcw8j', 'akdWD7LW0u', 'iG0WwNDVMe', 'Q4DW5If8lf', 'KIsWTMMkev', 'xXCWCOd5YY', 'mjoWRYcokE', 'K8gSeWYZcvf464xi9qk', 'UESJrWYr7bCauaE12DJ'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, WE8gUVL1pn26BaBie1.csHigh entropy of concatenated method names: 'XUwIKU0jE0', 'grfIeTpI0h', 'FkDIXTcRwG', 'c4CIBJmqql', 'WwfI194RFr', 'eCbItENhha', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, fBIFARM1dNcGpWBBWF.csHigh entropy of concatenated method names: 'QJ19wAWq5Y', 'OUh95bGpWl', 'OWL9TSyJZM', 'mCt9Cut4WZ', 'fdO9RQ1Bc9', 'mMh9c6shW1', 'd2A9iWeFsw', 'dbK9MDmYHI', 'dbE9p39U5i', 'Se09khV9BS'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, IMHNqa1GwxHuBX79pe.csHigh entropy of concatenated method names: 'Q007J9Opin', 'wIA7SfIy8n', 'MnK71Fgd3l', 'eJG7EyJppi', 'rFL7eCq3bc', 'Isq7XwlW7j', 'OBk7BG7sRK', 'Vau7tpVoip', 'R0E7luX35Z', 'hX478Ei0mh'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, Pb2E018WVNi9US0kvR.csHigh entropy of concatenated method names: 'zM6i5E90sl', 'PgXiCxmeLG', 'bGKicgDURM', 'laOcaB8fTY', 'HOPczk4OdM', 'bP3iUsAuJO', 'G0biQPHL7Q', 'DDtiGTJBoS', 'QQ2i9paUlR', 'aoxiDgkUY4'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, X80DMSQ97ppGTWh50QH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GPMW1ZnWeJ', 'HjPWEvaUrt', 'dcUWbBoeUQ', 'ipGWjGmXn0', 'jh6WnmTJQA', 'xyVWxts2a8', 'j2fWVm2Dph'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, OAkLgt3hVcB8a4TNPx.csHigh entropy of concatenated method names: 'vBxi6UpN9B', 'XgVi4lyq0L', 'IfTifab76N', 'XQAiFJ9SWq', 'gTRiy3y09i', 'M1uiP7TuAv', 'LfHiADZFaR', 'UD2iZk02y0', 'oUhioYfEe6', 'Pd4ihbso1S'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, uY4pkiqDqX0kyNCuhi.csHigh entropy of concatenated method names: 'XaxI57FQqO', 'n9rITsxy0A', 'TcPICPBBWB', 'cAGIRq9DLd', 'ATSIclExRT', 'gBLIi8iNQQ', 'ALLIMR7WH5', 'JxnIpBp5hp', 'VDDIkWNKMk', 'F8CIdIeF98'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, GDG5GMxJTp6njGdYES.csHigh entropy of concatenated method names: 'FNpuqpxNnm', 'mIMuaEbPcO', 'qxHIUBZgXQ', 'RKrIQrMKov', 'ucKu2XSbxw', 'k0IuScc3Qn', 'gBSuvIMO57', 'cTbu1RQEHn', 'JnduEAHEEg', 'RDwub82bSL'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, dZ7lISDHl5QeJd73Tb.csHigh entropy of concatenated method names: 'Gl8QiTAbF3', 'aBqQMJsYnu', 'aLlQkSOtTS', 'Fh7Qdd4FBb', 'scJQ7h5MbI', 'btXQYVwrlc', 'fD64FhAasOnoDhouFl', 'gFQJpqZ9RM2AuYfsHs', 'amNQQKW9rE', 'Q6vQ9DI7cm'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, zOZnVUoLlSOtTSKh7d.csHigh entropy of concatenated method names: 'vPXCFQ68Zm', 'zfyCPH8sOY', 'mIGCZSCMgw', 'xoHCoF8Off', 'fFIC7UUryX', 'pxbCY3aNBp', 'BKJCulHbU5', 'updCI2X4TX', 'xttCOKyxTp', 'wguCWrndS2'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, CvEX3yQUapj0dPs76S0.csHigh entropy of concatenated method names: 'wybO6t6uuQ', 'mq4O4kMn0v', 'yjmOfC8mNW', 'oe0OFsIc03', 'KekOyJPamB', 'PqYOPeIdrN', 'I1mOAr30br', 'k3cOZZNPwN', 'pGmOore6GS', 'LLFOhYrQWl'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, QUMQenaZE0bN9GbMZg.csHigh entropy of concatenated method names: 'IK9OQmU98V', 'FtKO9sx9T7', 'jweODCXuDu', 'sLnO5ReX9i', 'xsDOTypdft', 'UmFORwnMd4', 'nD5OcvAQDF', 'DycIV4RDy2', 'SW2IqwiqP2', 'HLAIL1dXk5'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, kbIQtXKVwrlcFiSqxx.csHigh entropy of concatenated method names: 'g9Icw0d8Ao', 'AoZcTEk1Tg', 'JRpcRBWDYL', 's1ZciqN2PK', 'jPycMpL3nv', 'yF5RnmfGCv', 'InsRxJOmQ6', 'A2RRVNPTDK', 'iLjRqd0DB0', 'tBqRLCiitR'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, LTAbF3ZUBqJsYnuwhW.csHigh entropy of concatenated method names: 'sCHT16FA56', 'qY6TEqYnmK', 'pGcTbYxUkK', 'lsiTjmvvXt', 'PWHTnkXG5Y', 'aKbTxToV0D', 'bF8TVO1r8B', 'NQZTqOJ0Br', 'pZiTLWaotn', 'E90TaFB3bP'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, BUANBPjKABgFDh7hbJ.csHigh entropy of concatenated method names: 'BAEuk8McdZ', 'l9rudYcI30', 'ToString', 'o3Hu5Xd5VC', 'tcYuTbcfCj', 'mdEuC0qV83', 'kWXuRssVSy', 'X6yucdjPmE', 'FcQui8hO5i', 'KNCuMcU7FL'
                        Source: 0.2.SWIFT.exe.4f02210.8.raw.unpack, as7UGTTrgSge76n5y2.csHigh entropy of concatenated method names: 'Dispose', 'iiyQLexZb8', 'elLGeFcgJs', 'RVissELPgg', 'emYQa4pkiD', 'WX0QzkyNCu', 'ProcessDialogKey', 'FiqGUE8gUV', 'RpnGQ26BaB', 'je1GGvUMQe'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, l3uKDiGEukCXQ10mb1.csHigh entropy of concatenated method names: 'K6dfnkDS5', 'ms6FqFT5r', 'yP5Pkef6Q', 'hDGArSZrf', 'MpXoojA50', 'SYBhjNu1r', 'I4t0mYQSfa1vTGMeQc', 'eqMsFv2kM25xF444NG', 'GaUI0CkIX', 'zyaWtYqru'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, DNjYqavbeRfGYMOMNx.csHigh entropy of concatenated method names: 'VgLHZOIS4c', 'iiNHoMM8SB', 'xZtHKTpDEM', 'wq9HeNkVXt', 'yYSHBxDPKH', 'OmDHtoAW1W', 'XiAH8mXFH9', 'wvTH0XGyYi', 'gh6HJZChsE', 'bvEH2FpNXx'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, il3qo0bBxWcPXwwvUq.csHigh entropy of concatenated method names: 'ToString', 'JchY2qlZhU', 'rNOYeBB7q9', 'QAyYXpaQbZ', 'FPKYBbEOFK', 'WwyYtMeGp2', 'klQYl4oqg5', 'guoY8wB94n', 'mLOY02t0DD', 'fXiY3SWYbG'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, yJ5mACQQOvtCvII9Xry.csHigh entropy of concatenated method names: 'ToString', 'kFwW9gcw8j', 'akdWD7LW0u', 'iG0WwNDVMe', 'Q4DW5If8lf', 'KIsWTMMkev', 'xXCWCOd5YY', 'mjoWRYcokE', 'K8gSeWYZcvf464xi9qk', 'UESJrWYr7bCauaE12DJ'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, WE8gUVL1pn26BaBie1.csHigh entropy of concatenated method names: 'XUwIKU0jE0', 'grfIeTpI0h', 'FkDIXTcRwG', 'c4CIBJmqql', 'WwfI194RFr', 'eCbItENhha', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, fBIFARM1dNcGpWBBWF.csHigh entropy of concatenated method names: 'QJ19wAWq5Y', 'OUh95bGpWl', 'OWL9TSyJZM', 'mCt9Cut4WZ', 'fdO9RQ1Bc9', 'mMh9c6shW1', 'd2A9iWeFsw', 'dbK9MDmYHI', 'dbE9p39U5i', 'Se09khV9BS'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, IMHNqa1GwxHuBX79pe.csHigh entropy of concatenated method names: 'Q007J9Opin', 'wIA7SfIy8n', 'MnK71Fgd3l', 'eJG7EyJppi', 'rFL7eCq3bc', 'Isq7XwlW7j', 'OBk7BG7sRK', 'Vau7tpVoip', 'R0E7luX35Z', 'hX478Ei0mh'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, Pb2E018WVNi9US0kvR.csHigh entropy of concatenated method names: 'zM6i5E90sl', 'PgXiCxmeLG', 'bGKicgDURM', 'laOcaB8fTY', 'HOPczk4OdM', 'bP3iUsAuJO', 'G0biQPHL7Q', 'DDtiGTJBoS', 'QQ2i9paUlR', 'aoxiDgkUY4'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, X80DMSQ97ppGTWh50QH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GPMW1ZnWeJ', 'HjPWEvaUrt', 'dcUWbBoeUQ', 'ipGWjGmXn0', 'jh6WnmTJQA', 'xyVWxts2a8', 'j2fWVm2Dph'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, OAkLgt3hVcB8a4TNPx.csHigh entropy of concatenated method names: 'vBxi6UpN9B', 'XgVi4lyq0L', 'IfTifab76N', 'XQAiFJ9SWq', 'gTRiy3y09i', 'M1uiP7TuAv', 'LfHiADZFaR', 'UD2iZk02y0', 'oUhioYfEe6', 'Pd4ihbso1S'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, uY4pkiqDqX0kyNCuhi.csHigh entropy of concatenated method names: 'XaxI57FQqO', 'n9rITsxy0A', 'TcPICPBBWB', 'cAGIRq9DLd', 'ATSIclExRT', 'gBLIi8iNQQ', 'ALLIMR7WH5', 'JxnIpBp5hp', 'VDDIkWNKMk', 'F8CIdIeF98'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, GDG5GMxJTp6njGdYES.csHigh entropy of concatenated method names: 'FNpuqpxNnm', 'mIMuaEbPcO', 'qxHIUBZgXQ', 'RKrIQrMKov', 'ucKu2XSbxw', 'k0IuScc3Qn', 'gBSuvIMO57', 'cTbu1RQEHn', 'JnduEAHEEg', 'RDwub82bSL'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, dZ7lISDHl5QeJd73Tb.csHigh entropy of concatenated method names: 'Gl8QiTAbF3', 'aBqQMJsYnu', 'aLlQkSOtTS', 'Fh7Qdd4FBb', 'scJQ7h5MbI', 'btXQYVwrlc', 'fD64FhAasOnoDhouFl', 'gFQJpqZ9RM2AuYfsHs', 'amNQQKW9rE', 'Q6vQ9DI7cm'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, zOZnVUoLlSOtTSKh7d.csHigh entropy of concatenated method names: 'vPXCFQ68Zm', 'zfyCPH8sOY', 'mIGCZSCMgw', 'xoHCoF8Off', 'fFIC7UUryX', 'pxbCY3aNBp', 'BKJCulHbU5', 'updCI2X4TX', 'xttCOKyxTp', 'wguCWrndS2'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, CvEX3yQUapj0dPs76S0.csHigh entropy of concatenated method names: 'wybO6t6uuQ', 'mq4O4kMn0v', 'yjmOfC8mNW', 'oe0OFsIc03', 'KekOyJPamB', 'PqYOPeIdrN', 'I1mOAr30br', 'k3cOZZNPwN', 'pGmOore6GS', 'LLFOhYrQWl'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, QUMQenaZE0bN9GbMZg.csHigh entropy of concatenated method names: 'IK9OQmU98V', 'FtKO9sx9T7', 'jweODCXuDu', 'sLnO5ReX9i', 'xsDOTypdft', 'UmFORwnMd4', 'nD5OcvAQDF', 'DycIV4RDy2', 'SW2IqwiqP2', 'HLAIL1dXk5'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, kbIQtXKVwrlcFiSqxx.csHigh entropy of concatenated method names: 'g9Icw0d8Ao', 'AoZcTEk1Tg', 'JRpcRBWDYL', 's1ZciqN2PK', 'jPycMpL3nv', 'yF5RnmfGCv', 'InsRxJOmQ6', 'A2RRVNPTDK', 'iLjRqd0DB0', 'tBqRLCiitR'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, LTAbF3ZUBqJsYnuwhW.csHigh entropy of concatenated method names: 'sCHT16FA56', 'qY6TEqYnmK', 'pGcTbYxUkK', 'lsiTjmvvXt', 'PWHTnkXG5Y', 'aKbTxToV0D', 'bF8TVO1r8B', 'NQZTqOJ0Br', 'pZiTLWaotn', 'E90TaFB3bP'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, BUANBPjKABgFDh7hbJ.csHigh entropy of concatenated method names: 'BAEuk8McdZ', 'l9rudYcI30', 'ToString', 'o3Hu5Xd5VC', 'tcYuTbcfCj', 'mdEuC0qV83', 'kWXuRssVSy', 'X6yucdjPmE', 'FcQui8hO5i', 'KNCuMcU7FL'
                        Source: 0.2.SWIFT.exe.5300000.11.raw.unpack, as7UGTTrgSge76n5y2.csHigh entropy of concatenated method names: 'Dispose', 'iiyQLexZb8', 'elLGeFcgJs', 'RVissELPgg', 'emYQa4pkiD', 'WX0QzkyNCu', 'ProcessDialogKey', 'FiqGUE8gUV', 'RpnGQ26BaB', 'je1GGvUMQe'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, l3uKDiGEukCXQ10mb1.csHigh entropy of concatenated method names: 'K6dfnkDS5', 'ms6FqFT5r', 'yP5Pkef6Q', 'hDGArSZrf', 'MpXoojA50', 'SYBhjNu1r', 'I4t0mYQSfa1vTGMeQc', 'eqMsFv2kM25xF444NG', 'GaUI0CkIX', 'zyaWtYqru'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, DNjYqavbeRfGYMOMNx.csHigh entropy of concatenated method names: 'VgLHZOIS4c', 'iiNHoMM8SB', 'xZtHKTpDEM', 'wq9HeNkVXt', 'yYSHBxDPKH', 'OmDHtoAW1W', 'XiAH8mXFH9', 'wvTH0XGyYi', 'gh6HJZChsE', 'bvEH2FpNXx'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, il3qo0bBxWcPXwwvUq.csHigh entropy of concatenated method names: 'ToString', 'JchY2qlZhU', 'rNOYeBB7q9', 'QAyYXpaQbZ', 'FPKYBbEOFK', 'WwyYtMeGp2', 'klQYl4oqg5', 'guoY8wB94n', 'mLOY02t0DD', 'fXiY3SWYbG'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, yJ5mACQQOvtCvII9Xry.csHigh entropy of concatenated method names: 'ToString', 'kFwW9gcw8j', 'akdWD7LW0u', 'iG0WwNDVMe', 'Q4DW5If8lf', 'KIsWTMMkev', 'xXCWCOd5YY', 'mjoWRYcokE', 'K8gSeWYZcvf464xi9qk', 'UESJrWYr7bCauaE12DJ'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, WE8gUVL1pn26BaBie1.csHigh entropy of concatenated method names: 'XUwIKU0jE0', 'grfIeTpI0h', 'FkDIXTcRwG', 'c4CIBJmqql', 'WwfI194RFr', 'eCbItENhha', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, fBIFARM1dNcGpWBBWF.csHigh entropy of concatenated method names: 'QJ19wAWq5Y', 'OUh95bGpWl', 'OWL9TSyJZM', 'mCt9Cut4WZ', 'fdO9RQ1Bc9', 'mMh9c6shW1', 'd2A9iWeFsw', 'dbK9MDmYHI', 'dbE9p39U5i', 'Se09khV9BS'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, IMHNqa1GwxHuBX79pe.csHigh entropy of concatenated method names: 'Q007J9Opin', 'wIA7SfIy8n', 'MnK71Fgd3l', 'eJG7EyJppi', 'rFL7eCq3bc', 'Isq7XwlW7j', 'OBk7BG7sRK', 'Vau7tpVoip', 'R0E7luX35Z', 'hX478Ei0mh'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, Pb2E018WVNi9US0kvR.csHigh entropy of concatenated method names: 'zM6i5E90sl', 'PgXiCxmeLG', 'bGKicgDURM', 'laOcaB8fTY', 'HOPczk4OdM', 'bP3iUsAuJO', 'G0biQPHL7Q', 'DDtiGTJBoS', 'QQ2i9paUlR', 'aoxiDgkUY4'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, X80DMSQ97ppGTWh50QH.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GPMW1ZnWeJ', 'HjPWEvaUrt', 'dcUWbBoeUQ', 'ipGWjGmXn0', 'jh6WnmTJQA', 'xyVWxts2a8', 'j2fWVm2Dph'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, OAkLgt3hVcB8a4TNPx.csHigh entropy of concatenated method names: 'vBxi6UpN9B', 'XgVi4lyq0L', 'IfTifab76N', 'XQAiFJ9SWq', 'gTRiy3y09i', 'M1uiP7TuAv', 'LfHiADZFaR', 'UD2iZk02y0', 'oUhioYfEe6', 'Pd4ihbso1S'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, uY4pkiqDqX0kyNCuhi.csHigh entropy of concatenated method names: 'XaxI57FQqO', 'n9rITsxy0A', 'TcPICPBBWB', 'cAGIRq9DLd', 'ATSIclExRT', 'gBLIi8iNQQ', 'ALLIMR7WH5', 'JxnIpBp5hp', 'VDDIkWNKMk', 'F8CIdIeF98'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, GDG5GMxJTp6njGdYES.csHigh entropy of concatenated method names: 'FNpuqpxNnm', 'mIMuaEbPcO', 'qxHIUBZgXQ', 'RKrIQrMKov', 'ucKu2XSbxw', 'k0IuScc3Qn', 'gBSuvIMO57', 'cTbu1RQEHn', 'JnduEAHEEg', 'RDwub82bSL'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, dZ7lISDHl5QeJd73Tb.csHigh entropy of concatenated method names: 'Gl8QiTAbF3', 'aBqQMJsYnu', 'aLlQkSOtTS', 'Fh7Qdd4FBb', 'scJQ7h5MbI', 'btXQYVwrlc', 'fD64FhAasOnoDhouFl', 'gFQJpqZ9RM2AuYfsHs', 'amNQQKW9rE', 'Q6vQ9DI7cm'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, zOZnVUoLlSOtTSKh7d.csHigh entropy of concatenated method names: 'vPXCFQ68Zm', 'zfyCPH8sOY', 'mIGCZSCMgw', 'xoHCoF8Off', 'fFIC7UUryX', 'pxbCY3aNBp', 'BKJCulHbU5', 'updCI2X4TX', 'xttCOKyxTp', 'wguCWrndS2'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, CvEX3yQUapj0dPs76S0.csHigh entropy of concatenated method names: 'wybO6t6uuQ', 'mq4O4kMn0v', 'yjmOfC8mNW', 'oe0OFsIc03', 'KekOyJPamB', 'PqYOPeIdrN', 'I1mOAr30br', 'k3cOZZNPwN', 'pGmOore6GS', 'LLFOhYrQWl'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, QUMQenaZE0bN9GbMZg.csHigh entropy of concatenated method names: 'IK9OQmU98V', 'FtKO9sx9T7', 'jweODCXuDu', 'sLnO5ReX9i', 'xsDOTypdft', 'UmFORwnMd4', 'nD5OcvAQDF', 'DycIV4RDy2', 'SW2IqwiqP2', 'HLAIL1dXk5'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, kbIQtXKVwrlcFiSqxx.csHigh entropy of concatenated method names: 'g9Icw0d8Ao', 'AoZcTEk1Tg', 'JRpcRBWDYL', 's1ZciqN2PK', 'jPycMpL3nv', 'yF5RnmfGCv', 'InsRxJOmQ6', 'A2RRVNPTDK', 'iLjRqd0DB0', 'tBqRLCiitR'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, LTAbF3ZUBqJsYnuwhW.csHigh entropy of concatenated method names: 'sCHT16FA56', 'qY6TEqYnmK', 'pGcTbYxUkK', 'lsiTjmvvXt', 'PWHTnkXG5Y', 'aKbTxToV0D', 'bF8TVO1r8B', 'NQZTqOJ0Br', 'pZiTLWaotn', 'E90TaFB3bP'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, BUANBPjKABgFDh7hbJ.csHigh entropy of concatenated method names: 'BAEuk8McdZ', 'l9rudYcI30', 'ToString', 'o3Hu5Xd5VC', 'tcYuTbcfCj', 'mdEuC0qV83', 'kWXuRssVSy', 'X6yucdjPmE', 'FcQui8hO5i', 'KNCuMcU7FL'
                        Source: 0.2.SWIFT.exe.4f7fa30.6.raw.unpack, as7UGTTrgSge76n5y2.csHigh entropy of concatenated method names: 'Dispose', 'iiyQLexZb8', 'elLGeFcgJs', 'RVissELPgg', 'emYQa4pkiD', 'WX0QzkyNCu', 'ProcessDialogKey', 'FiqGUE8gUV', 'RpnGQ26BaB', 'je1GGvUMQe'
                        Source: 0.2.SWIFT.exe.5af0000.12.raw.unpack, V4uC3Iifq56IKQcfry.csHigh entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
                        Source: 0.2.SWIFT.exe.5af0000.12.raw.unpack, vpednoN8EZgsJ4TDwx.csHigh entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 1960, type: MEMORYSTR
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: 1970000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: 3300000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: 5300000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: 6500000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: 7500000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: 7630000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: 8630000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: 8D10000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: 9D10000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: AD10000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: BD10000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 3250000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 5250000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 8273Jump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exe TID: 1352Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1680Thread sleep count: 1547 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -99891s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -99782s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1680Thread sleep count: 8273 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep count: 39 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -99657s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -99532s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -99422s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -99313s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -99188s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -99063s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -98938s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -98813s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -98694s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -98579s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -98454s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -98329s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -98204s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -98066s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -97954s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -97844s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -97719s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -97610s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -97485s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -97360s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -97235s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -97110s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -96985s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -96860s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -96735s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -96610s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -96485s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -96360s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -96235s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -96110s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -95985s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -95860s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -95735s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -95610s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -95485s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -95360s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -95235s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -95110s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -94985s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -94860s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -94735s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -94610s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -94485s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -94360s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -94235s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -94110s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1988Thread sleep time: -93985s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\SWIFT.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99891Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99782Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99657Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99532Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99422Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99313Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99188Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99063Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98938Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98813Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98694Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98579Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98454Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98329Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98204Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98066Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97954Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97844Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97719Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 97110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96985Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96860Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 96110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95985Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95860Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 95110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94985Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94860Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 94110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 93985Jump to behavior
                        Source: MSBuild.exe, 00000003.00000002.3248886205.00000000065B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeQueries volume information: C:\Users\user\Desktop\SWIFT.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SWIFT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.SWIFT.exe.5098988.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.505df68.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.5098988.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.505df68.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.3245436957.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3244352148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3245436957.000000000329E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2034008651.000000000505D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3245436957.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 1960, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.SWIFT.exe.4309970.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.5af0000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.5af0000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.4309970.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2036561499.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2034008651.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 0.2.SWIFT.exe.5098988.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.505df68.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.5098988.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.505df68.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.3244352148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2034008651.000000000505D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3245436957.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 1960, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.SWIFT.exe.5098988.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.505df68.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.5098988.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.505df68.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000003.00000002.3245436957.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3244352148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3245436957.000000000329E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2034008651.000000000505D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.3245436957.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: SWIFT.exe PID: 1960, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.SWIFT.exe.4309970.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.5af0000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.5af0000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SWIFT.exe.4309970.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2036561499.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2034008651.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		11
                        Process Injection                        		1
                        Masquerading                        		2
                        OS Credential Dumping                        		111
                        Security Software Discovery                        		Remote Services1
                        Email Collection                        		12
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		1
                        Input Capture                        		1
                        Process Discovery                        		Remote Desktop Protocol1
                        Input Capture                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                        Virtualization/Sandbox Evasion                        		1
                        Credentials in Registry                        		141
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin Shares11
                        Archive Collected Data                        		1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object Model2
                        Data from Local System                        		12
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        File and Directory Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Obfuscated Files or Information                        		Cached Domain Credentials24
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                        Software Packing                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Timestomp                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        SWIFT.exe53%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                        SWIFT.exe54%VirustotalBrowse
                        SWIFT.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        bg.microsoft.map.fastly.net0%VirustotalBrowse
                        mail92152.maychuemail.com1%VirustotalBrowse
                        fp2e7a.wpc.phicdn.net0%VirustotalBrowse
                        mail.quoctoan.vn0%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://mail92152.maychuemail.com0%Avira URL Cloudsafe
                        http://mail.quoctoan.vn0%Avira URL Cloudsafe
                        http://mail.quoctoan.vn0%VirustotalBrowse
                        http://mail92152.maychuemail.com1%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.210.172
                        		truefalseunknown
                        mail92152.maychuemail.com
                        		112.213.92.152
                        		truetrueunknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.211.108
                        		truefalseunknown
                        mail.quoctoan.vn
                        		unknown
                        		unknowntrueunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://mail.quoctoan.vnMSBuild.exe, 00000003.00000002.3245436957.00000000032A6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://mail92152.maychuemail.comMSBuild.exe, 00000003.00000002.3245436957.00000000032A6000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://account.dyn.com/SWIFT.exe, 00000000.00000002.2034008651.000000000505D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3244352148.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          112.213.92.152
                          		mail92152.maychuemail.comViet Nam
                          		45544SUPERDATA-AS-VNSUPERDATA-VNtrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1431498
                          Start date and time:2024-04-25 10:37:06 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 40s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:6
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:SWIFT.exe
                          Detection:MAL
                          Classification:mal100.spre.troj.spyw.evad.winEXE@5/1@2/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 74
                          • Number of non-executed functions: 6
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded IPs from analysis (whitelisted): 40.68.123.157, 199.232.210.172, 192.229.211.108, 20.166.126.56, 199.232.214.172
                          • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:37:53API Interceptor2x Sleep call for process: SWIFT.exe modified
                          10:37:54API Interceptor90x Sleep call for process: MSBuild.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          112.213.92.1525BLllRSrXNY7G7d.exeGet hashmaliciousAgentTeslaBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            mail92152.maychuemail.com5BLllRSrXNY7G7d.exeGet hashmaliciousAgentTeslaBrowse
                            • 112.213.92.152
                            fp2e7a.wpc.phicdn.nethttps://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.pGet hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            http://survey-smiles.comGet hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            g77dRQ1Csm.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRATBrowse
                            • 192.229.211.108
                            http://rfpteams.ksplastlc.netGet hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            https://app.milanote.com/1RZbnl1zfBXuaf?p=r2B66sphbV4Get hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            http://decktop.us/gORiyfGet hashmaliciousHTMLPhisherBrowse
                            • 192.229.211.108
                            https://cos-aliyun8789.towqzg.cn/Get hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            https://shining-melodic-magnesium.glitch.me/rvicendDev.htmlGet hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            https://univ-paris13-4.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139Get hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            https://univ-paris13-3.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139Get hashmaliciousUnknownBrowse
                            • 192.229.211.108
                            bg.microsoft.map.fastly.nethttps://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.pGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            page97.exeGet hashmaliciousLonePageBrowse
                            • 199.232.210.172
                            Minutes_of_15th_Session_of_PSC.pdf.exeGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            KMj8h32vWy.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                            • 199.232.214.172
                            https://cos-aliyun8789.towqzg.cn/Get hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            https://shining-melodic-magnesium.glitch.me/rvicendDev.htmlGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            https://univ-paris13-4.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139Get hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            https://univ-paris13.laviewddns.com/login.php?wa=wsignin1.0&client_id=fe9c55ad-8a94-46b2-a3c3-816799478139Get hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            https://fassouyatajadalravuij.blob.core.windows.net/fassouyatajadalravuij/1.html?KIUS8wH0YY7cB2NMwxGsVoa5iezV7W9cvLqamEPM8HdxqBLgYyX6Goh6aNwgjitRkRWLcAfZPzQwfAIRlIAPQ3jfogxjD1t9nA60#cl/26081_md/7/18507/5419/19036/1614238Get hashmaliciousPhisherBrowse
                            • 199.232.210.172
                            https://windowdefalerts-error0x21702-alert-virus-detected.pages.dev/Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                            • 199.232.210.172

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            SUPERDATA-AS-VNSUPERDATA-VN5BLllRSrXNY7G7d.exeGet hashmaliciousAgentTeslaBrowse
                            • 112.213.92.152
                            rMayNewPurchase.exeGet hashmaliciousAgentTeslaBrowse
                            • 112.213.93.72
                            rRECEIPTTRANSFE.exeGet hashmaliciousAgentTeslaBrowse
                            • 112.213.93.72
                            SecuriteInfo.com.Win32.PWSX-gen.11821.9568.exeGet hashmaliciousAgentTeslaBrowse
                            • 112.213.90.70
                            Transferencia 78897645.exeGet hashmaliciousUnknownBrowse
                            • 103.77.162.8
                            Transferencia 78897645.exeGet hashmaliciousUnknownBrowse
                            • 103.77.162.8
                            pago 78890943.exeGet hashmaliciousUnknownBrowse
                            • 103.77.162.8
                            pago 78890943.exeGet hashmaliciousUnknownBrowse
                            • 103.77.162.8
                            Confirmaci#U00f3n de factura.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 103.77.162.8
                            pago 89909334.exeGet hashmaliciousUnknownBrowse
                            • 103.77.162.8

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            1138de370e523e824bbca92d049a3777https://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.pGet hashmaliciousUnknownBrowse
                            • 23.1.237.91
                            http://rfpteams.ksplastlc.netGet hashmaliciousUnknownBrowse
                            • 23.1.237.91
                            https://shining-melodic-magnesium.glitch.me/rvicendDev.htmlGet hashmaliciousUnknownBrowse
                            • 23.1.237.91
                            https://ernestjcrist.icu/23d80j2d/qwd13d8jqd/index.html?13813e8=0101%2020596-12595&13813e8=https://femininplurielles.comGet hashmaliciousTechSupportScamBrowse
                            • 23.1.237.91
                            https://jiujiuwanka.cn/Get hashmaliciousUnknownBrowse
                            • 23.1.237.91
                            https://goxdgdb.cn/Get hashmaliciousUnknownBrowse
                            • 23.1.237.91
                            https://clicks.aweber.com/y/ct/?l=irQzWw&m=hE2OWd5T.UYPuTr&b=hqint4ojZ0QPjD7.f4mxDg#Ym5hbmRlcnNvbkBwcmVzaWRpby5jb20=Get hashmaliciousHTMLPhisherBrowse
                            • 23.1.237.91
                            https://gamma.app/docs/Shared-Document-9j9g6z8iqo1w0uuGet hashmaliciousHTMLPhisherBrowse
                            • 23.1.237.91
                            https://cloudflare-ipfs.com/ipfs/bafkreiffz46tyqvifmyhjcdbynucd4duurmznmxaorlfjuwzovmtocshjeGet hashmaliciousHTMLPhisherBrowse
                            • 23.1.237.91
                            https://phoenixdevcom.glastec.org/?nLN3=brX8qGet hashmaliciousHTMLPhisherBrowse
                            • 23.1.237.91

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\SWIFT.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.979239549999064
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:SWIFT.exe
                            File size:687'616 bytes
                            MD5:c3783358a70c67db7ba565a68872b2d6
                            SHA1:e0c97fdd090069d6fb47589643fad0d8365b537a
                            SHA256:2e546d749c2e13895babd1d2bca41978605c1ba3967ca0b21709646120704760
                            SHA512:1290fdf7c8ea57681cc62d27d32f6a2b9b386350cdf883d81f931b01cb19c1a9f38487d58d6f96900406e8dbb2cd0fafb0038e9fd2c003b3dce1c3b5ea1ce229
                            SSDEEP:12288:Ztlv312Z3YYmvBh+a/UOqfGFE4xyqJaUpzWDAMk3dWlajbrYbCCZM:ZtJ312ZY1v7PxqfYEkvzlMk3AirYmCZ
                            TLSH:DCE423A75DD11B19D07D67BF1EA245347370708AC413F34D9AA887D2428BB0F6AD2E2B
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..r..........^.... ........@.. ....................................@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x4a915e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0xF3EC99AE [Sun Sep 6 09:15:26 2099 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            inc esi
                            dec edi
                            push edx
                            xor al, 54h
                            xor eax, 42384738h
                            aaa
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edi], dh
                            cmp byte ptr [ecx+50h], dl
                            xor eax, 36374734h
                            pop edx
                            inc ebx
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa910a0x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x61c.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0xa7d400x70.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xa71840xa7200db060e3c33533985d744cf4abcc978e3False0.977636207460733data7.9848971240460545IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xaa0000x61c0x800d50f0ff92c5276d84a5f70ce74ff17e0False0.33642578125data3.4700575050860465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xac0000xc0x200772d63d3cdb26c0ae5becba22a6ae728False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xaa0900x38cPGP symmetric key encrypted data - Plaintext or unencrypted data0.41740088105726875
                            RT_MANIFEST0xaa42c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            04/25/24-10:38:01.777560TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49704587192.168.2.5112.213.92.152
                            04/25/24-10:38:01.777589TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49704587192.168.2.5112.213.92.152
                            04/25/24-10:38:01.777589TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249704587192.168.2.5112.213.92.152
                            04/25/24-10:38:01.777589TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49704587192.168.2.5112.213.92.152
                            04/25/24-10:38:01.777589TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49704587192.168.2.5112.213.92.152
                            04/25/24-10:38:01.777560TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49704587192.168.2.5112.213.92.152

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 25, 2024 10:37:52.545182943 CEST49674443192.168.2.523.1.237.91
                            Apr 25, 2024 10:37:52.545193911 CEST49675443192.168.2.523.1.237.91
                            Apr 25, 2024 10:37:52.654571056 CEST49673443192.168.2.523.1.237.91
                            Apr 25, 2024 10:37:57.381022930 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:37:57.736526966 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:37:57.736675024 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:37:58.387259007 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:37:58.388271093 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:37:58.741028070 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:37:58.742093086 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:37:59.095443964 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:37:59.096844912 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:37:59.490789890 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:37:59.532633066 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:37:59.532957077 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:37:59.892577887 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:37:59.944677114 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:37:59.944936991 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:38:00.300678015 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:38:01.415672064 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:38:01.415936947 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:38:01.776833057 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:38:01.776878119 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:38:01.777559996 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:38:01.777589083 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:38:01.777611971 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:38:01.777635098 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:38:02.147495985 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:38:02.154479980 CEST49674443192.168.2.523.1.237.91
                            Apr 25, 2024 10:38:02.154623985 CEST49675443192.168.2.523.1.237.91
                            Apr 25, 2024 10:38:02.187846899 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:38:02.264013052 CEST49673443192.168.2.523.1.237.91
                            Apr 25, 2024 10:38:03.639888048 CEST4434970323.1.237.91192.168.2.5
                            Apr 25, 2024 10:38:03.640022039 CEST49703443192.168.2.523.1.237.91
                            Apr 25, 2024 10:38:07.247893095 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:38:07.295137882 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:38:14.145287037 CEST49703443192.168.2.523.1.237.91
                            Apr 25, 2024 10:38:14.145399094 CEST49703443192.168.2.523.1.237.91
                            Apr 25, 2024 10:38:14.156886101 CEST49710443192.168.2.523.1.237.91
                            Apr 25, 2024 10:38:14.156930923 CEST4434971023.1.237.91192.168.2.5
                            Apr 25, 2024 10:38:14.156996965 CEST49710443192.168.2.523.1.237.91
                            Apr 25, 2024 10:38:14.163110971 CEST49710443192.168.2.523.1.237.91
                            Apr 25, 2024 10:38:14.163132906 CEST4434971023.1.237.91192.168.2.5
                            Apr 25, 2024 10:38:14.302949905 CEST4434970323.1.237.91192.168.2.5
                            Apr 25, 2024 10:38:14.302977085 CEST4434970323.1.237.91192.168.2.5
                            Apr 25, 2024 10:38:14.493361950 CEST4434971023.1.237.91192.168.2.5
                            Apr 25, 2024 10:38:14.493434906 CEST49710443192.168.2.523.1.237.91
                            Apr 25, 2024 10:38:33.645051956 CEST4434971023.1.237.91192.168.2.5
                            Apr 25, 2024 10:38:33.645250082 CEST49710443192.168.2.523.1.237.91
                            Apr 25, 2024 10:39:36.185545921 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:39:36.589833021 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:39:36.750041008 CEST58749704112.213.92.152192.168.2.5
                            Apr 25, 2024 10:39:36.750166893 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:39:36.750278950 CEST49704587192.168.2.5112.213.92.152
                            Apr 25, 2024 10:39:37.106718063 CEST58749704112.213.92.152192.168.2.5

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 25, 2024 10:37:56.144443035 CEST5693953192.168.2.51.1.1.1
                            Apr 25, 2024 10:37:57.139168024 CEST5693953192.168.2.51.1.1.1
                            Apr 25, 2024 10:37:57.373195887 CEST53569391.1.1.1192.168.2.5
                            Apr 25, 2024 10:37:57.373274088 CEST53569391.1.1.1192.168.2.5

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Apr 25, 2024 10:37:56.144443035 CEST192.168.2.51.1.1.10x8c07Standard query (0)mail.quoctoan.vnA (IP address)IN (0x0001)false
                            Apr 25, 2024 10:37:57.139168024 CEST192.168.2.51.1.1.10x8c07Standard query (0)mail.quoctoan.vnA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Apr 25, 2024 10:37:57.373195887 CEST1.1.1.1192.168.2.50x8c07No error (0)mail.quoctoan.vnmail92152.maychuemail.comCNAME (Canonical name)IN (0x0001)false
                            Apr 25, 2024 10:37:57.373195887 CEST1.1.1.1192.168.2.50x8c07No error (0)mail92152.maychuemail.com112.213.92.152A (IP address)IN (0x0001)false
                            Apr 25, 2024 10:37:57.373274088 CEST1.1.1.1192.168.2.50x8c07No error (0)mail.quoctoan.vnmail92152.maychuemail.comCNAME (Canonical name)IN (0x0001)false
                            Apr 25, 2024 10:37:57.373274088 CEST1.1.1.1192.168.2.50x8c07No error (0)mail92152.maychuemail.com112.213.92.152A (IP address)IN (0x0001)false
                            Apr 25, 2024 10:38:13.824147940 CEST1.1.1.1192.168.2.50x916bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                            Apr 25, 2024 10:38:13.824147940 CEST1.1.1.1192.168.2.50x916bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                            Apr 25, 2024 10:38:13.830079079 CEST1.1.1.1192.168.2.50xbabNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Apr 25, 2024 10:38:13.830079079 CEST1.1.1.1192.168.2.50xbabNo error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                            Apr 25, 2024 10:38:27.289800882 CEST1.1.1.1192.168.2.50xc1dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Apr 25, 2024 10:38:27.289800882 CEST1.1.1.1192.168.2.50xc1dNo error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                            Apr 25, 2024 10:39:14.494929075 CEST1.1.1.1192.168.2.50x50b9No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                            Apr 25, 2024 10:39:14.494929075 CEST1.1.1.1192.168.2.50x50b9No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                            SMTP Packets

                            TimestampSource PortDest PortSource IPDest IPCommands
                            Apr 25, 2024 10:37:58.387259007 CEST58749704112.213.92.152192.168.2.5220-mail92152.maychuemail.com ESMTP Mail Security System
                            220- We do not authorize the use of this system to transport unsolicited,
                            220 and/or bulk e-mail.
                            Apr 25, 2024 10:37:58.388271093 CEST49704587192.168.2.5112.213.92.152EHLO 965969
                            Apr 25, 2024 10:37:58.741028070 CEST58749704112.213.92.152192.168.2.5250-mail92152.maychuemail.com Hello 965969 [185.152.66.230]
                            250-SIZE 52428800
                            250-8BITMIME
                            250-PIPELINING
                            250-PIPECONNECT
                            250-AUTH PLAIN LOGIN
                            250-STARTTLS
                            250-SMTPUTF8
                            250 HELP
                            Apr 25, 2024 10:37:58.742093086 CEST49704587192.168.2.5112.213.92.152AUTH login bG9uZ194bmtAcXVvY3RvYW4udm4=
                            Apr 25, 2024 10:37:59.095443964 CEST58749704112.213.92.152192.168.2.5334 UGFzc3dvcmQ6
                            Apr 25, 2024 10:37:59.532633066 CEST58749704112.213.92.152192.168.2.5235 Authentication succeeded
                            Apr 25, 2024 10:37:59.532957077 CEST49704587192.168.2.5112.213.92.152MAIL FROM:<long_xnk@quoctoan.vn>
                            Apr 25, 2024 10:37:59.944677114 CEST58749704112.213.92.152192.168.2.5250 OK
                            Apr 25, 2024 10:37:59.944936991 CEST49704587192.168.2.5112.213.92.152RCPT TO:<dclarkson007@protonmail.com>
                            Apr 25, 2024 10:38:01.415672064 CEST58749704112.213.92.152192.168.2.5250 Accepted
                            Apr 25, 2024 10:38:01.415936947 CEST49704587192.168.2.5112.213.92.152DATA
                            Apr 25, 2024 10:38:01.776878119 CEST58749704112.213.92.152192.168.2.5354 Enter message, ending with "." on a line by itself
                            Apr 25, 2024 10:38:01.777635098 CEST49704587192.168.2.5112.213.92.152.
                            Apr 25, 2024 10:38:07.247893095 CEST58749704112.213.92.152192.168.2.5250 OK id=1rzucA-00000005UV7-0cpf
                            Apr 25, 2024 10:39:36.185545921 CEST49704587192.168.2.5112.213.92.152QUIT
                            Apr 25, 2024 10:39:36.750041008 CEST58749704112.213.92.152192.168.2.5221 mail92152.maychuemail.com closing connection

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:10:37:52
                            Start date:25/04/2024
                            Path:C:\Users\user\Desktop\SWIFT.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\SWIFT.exe"
                            Imagebase:0xf80000
                            File size:687'616 bytes
                            MD5 hash:C3783358A70C67DB7BA565A68872B2D6
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2036561499.0000000005AF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2034008651.0000000004309000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2034008651.000000000505D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2034008651.000000000505D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:10:37:53
                            Start date:25/04/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                            Imagebase:0x300000
                            File size:262'432 bytes
                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:3
                            Start time:10:37:53
                            Start date:25/04/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                            Imagebase:0xf90000
                            File size:262'432 bytes
                            MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3245436957.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3244352148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3244352148.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3245436957.000000000329E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3245436957.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3245436957.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:moderate
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:9.4%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:99
                              Total number of Limit Nodes:4
                              execution_graph 30538 197acb0 30542 197ad97 30538->30542 30550 197ada8 30538->30550 30539 197acbf 30543 197adb9 30542->30543 30544 197addc 30542->30544 30543->30544 30558 197b030 30543->30558 30562 197b040 30543->30562 30544->30539 30545 197add4 30545->30544 30546 197afe0 GetModuleHandleW 30545->30546 30547 197b00d 30546->30547 30547->30539 30551 197addc 30550->30551 30552 197adb9 30550->30552 30551->30539 30552->30551 30556 197b030 LoadLibraryExW 30552->30556 30557 197b040 LoadLibraryExW 30552->30557 30553 197afe0 GetModuleHandleW 30555 197b00d 30553->30555 30554 197add4 30554->30551 30554->30553 30555->30539 30556->30554 30557->30554 30559 197b054 30558->30559 30561 197b079 30559->30561 30566 197a130 30559->30566 30561->30545 30564 197b054 30562->30564 30563 197b079 30563->30545 30564->30563 30565 197a130 LoadLibraryExW 30564->30565 30565->30563 30567 197b220 LoadLibraryExW 30566->30567 30569 197b299 30567->30569 30569->30561 30631 197d040 30632 197d086 30631->30632 30636 197d618 30632->30636 30639 197d628 30632->30639 30633 197d173 30642 197d27c 30636->30642 30640 197d27c DuplicateHandle 30639->30640 30641 197d656 30639->30641 30640->30641 30641->30633 30643 197d690 DuplicateHandle 30642->30643 30644 197d656 30643->30644 30644->30633 30570 8a61b88 30571 8a61ba6 30570->30571 30572 8a61bb0 30570->30572 30575 8a61bf0 30571->30575 30580 8a61bdb 30571->30580 30576 8a61bfe 30575->30576 30579 8a61c1d 30575->30579 30585 8a60c34 30576->30585 30579->30572 30581 8a61bf0 30580->30581 30582 8a60c34 FindCloseChangeNotification 30581->30582 30584 8a61c1d 30581->30584 30583 8a61c19 30582->30583 30583->30572 30584->30572 30586 8a61d68 FindCloseChangeNotification 30585->30586 30587 8a61c19 30586->30587 30587->30572 30588 192d01c 30589 192d034 30588->30589 30590 192d08e 30589->30590 30593 58b2818 30589->30593 30598 58b2808 30589->30598 30594 58b2845 30593->30594 30595 58b2877 30594->30595 30603 58b2990 30594->30603 30608 58b29a0 30594->30608 30599 58b280d 30598->30599 30600 58b2877 30599->30600 30601 58b2990 2 API calls 30599->30601 30602 58b29a0 2 API calls 30599->30602 30601->30600 30602->30600 30605 58b29b4 30603->30605 30604 58b2a40 30604->30595 30613 58b2a48 30605->30613 30616 58b2a58 30605->30616 30610 58b29b4 30608->30610 30609 58b2a40 30609->30595 30611 58b2a48 2 API calls 30610->30611 30612 58b2a58 2 API calls 30610->30612 30611->30609 30612->30609 30614 58b2a69 30613->30614 30619 58b4012 30613->30619 30614->30604 30617 58b2a69 30616->30617 30618 58b4012 2 API calls 30616->30618 30617->30604 30618->30617 30623 58b4030 30619->30623 30627 58b4040 30619->30627 30620 58b402a 30620->30614 30624 58b4040 30623->30624 30625 58b4089 30624->30625 30626 58b40da CallWindowProcW 30624->30626 30625->30620 30626->30625 30628 58b4082 30627->30628 30630 58b4089 30627->30630 30629 58b40da CallWindowProcW 30628->30629 30628->30630 30629->30630 30630->30620 30645 1974668 30646 197467a 30645->30646 30647 1974686 30646->30647 30649 1974779 30646->30649 30650 197479d 30649->30650 30654 1974879 30650->30654 30658 1974888 30650->30658 30655 19748af 30654->30655 30656 197498c 30655->30656 30662 19744b4 30655->30662 30660 19748af 30658->30660 30659 197498c 30660->30659 30661 19744b4 CreateActCtxA 30660->30661 30661->30659 30663 1975918 CreateActCtxA 30662->30663 30665 19759db 30663->30665

                              Executed Functions

                              Function 058BDCC8 Relevance: 8.5, Strings: 6, Instructions: 1042COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 294 58bdcc8-58bdce9 295 58bdceb 294->295 296 58bdcf0-58bdddc 294->296 295->296 298 58be60e-58be636 296->298 299 58bdde2-58bdf39 296->299 302 58bed1f-58bed28 298->302 343 58bdf3f-58bdf9a 299->343 344 58be5dc-58be60c 299->344 304 58bed2e-58bed45 302->304 305 58be644-58be64d 302->305 306 58be64f 305->306 307 58be654-58be748 305->307 306->307 325 58be74a-58be756 307->325 326 58be772 307->326 328 58be758-58be75e 325->328 329 58be760-58be766 325->329 330 58be778-58be798 326->330 332 58be770 328->332 329->332 335 58be79a-58be7f3 330->335 336 58be7f8-58be872 330->336 332->330 347 58bed1c 335->347 354 58be8c9-58be90c 336->354 355 58be874-58be8c7 336->355 351 58bdf9f-58bdfaa 343->351 352 58bdf9c 343->352 344->298 347->302 356 58be4ee-58be4f4 351->356 352->351 384 58be917-58be91d 354->384 355->384 357 58be4fa-58be577 356->357 358 58bdfaf-58bdfcd 356->358 402 58be5c6-58be5cc 357->402 361 58bdfcf-58bdfd3 358->361 362 58be024-58be039 358->362 361->362 366 58bdfd5-58bdfe0 361->366 367 58be03b 362->367 368 58be040-58be056 362->368 372 58be016-58be01c 366->372 367->368 369 58be058 368->369 370 58be05d-58be074 368->370 369->370 375 58be07b-58be091 370->375 376 58be076 370->376 377 58be01e-58be01f 372->377 378 58bdfe2-58bdfe6 372->378 382 58be098-58be09f 375->382 383 58be093 375->383 376->375 385 58be0a2-58be113 377->385 380 58bdfe8 378->380 381 58bdfec-58be004 378->381 380->381 387 58be00b-58be013 381->387 388 58be006 381->388 382->385 383->382 389 58be974-58be980 384->389 390 58be129-58be2a1 385->390 391 58be115 385->391 387->372 388->387 392 58be91f-58be941 389->392 393 58be982-58bea0a 389->393 399 58be2a3 390->399 400 58be2b7-58be3f2 390->400 391->390 394 58be117-58be123 391->394 396 58be948-58be971 392->396 397 58be943 392->397 423 58beb8f-58beb98 393->423 394->390 396->389 397->396 399->400 403 58be2a5-58be2b1 399->403 413 58be456-58be46b 400->413 414 58be3f4-58be3f8 400->414 404 58be579-58be5c3 402->404 405 58be5ce-58be5d4 402->405 403->400 404->402 405->344 416 58be46d 413->416 417 58be472-58be493 413->417 414->413 418 58be3fa-58be409 414->418 416->417 420 58be49a-58be4b9 417->420 421 58be495 417->421 422 58be448-58be44e 418->422 429 58be4bb 420->429 430 58be4c0-58be4e0 420->430 421->420 425 58be40b-58be40f 422->425 426 58be450-58be451 422->426 427 58bea0f-58bea24 423->427 428 58beb9e-58bebf9 423->428 432 58be419-58be43a 425->432 433 58be411-58be415 425->433 431 58be4eb 426->431 434 58bea2d-58beb83 427->434 435 58bea26 427->435 452 58bebfb-58bec2e 428->452 453 58bec30-58bec5a 428->453 429->430 436 58be4e2 430->436 437 58be4e7 430->437 431->356 439 58be43c 432->439 440 58be441-58be445 432->440 433->432 456 58beb89 434->456 435->434 441 58bea78-58beab8 435->441 442 58beabd-58beafd 435->442 443 58bea33-58bea73 435->443 444 58beb02-58beb42 435->444 436->437 437->431 439->440 440->422 441->456 442->456 443->456 444->456 461 58bec63-58becf6 452->461 453->461 456->423 465 58becfd-58bed15 461->465 465->347
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036379619.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_58b0000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID: &IH3$4']q$TJbq$Te]q$paq$xb`q
                              • API String ID: 0-2481757060
                              • Opcode ID: 9f41c42a90a8b3112ec81b3550bdfb3f3517dececa48078c4246372d7964cd3b
                              • Instruction ID: 829bb08ed63dd28f4b1a8376b27938fcb81aac6a456c372adbf3636691a4d138
                              • Opcode Fuzzy Hash: 9f41c42a90a8b3112ec81b3550bdfb3f3517dececa48078c4246372d7964cd3b
                              • Instruction Fuzzy Hash: 8CB2C274A00628CFDB65CF69C984AD9BBB6FF89304F1581E9D509AB325DB319E81CF40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 058B6BE8 Relevance: .9, Instructions: 924COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036379619.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_58b0000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d6cf7477a58d6d6f3409d710de5dc5946cafaeba15b5bd8d8a98d6b96844f90
                              • Instruction ID: 24858fea15577d7f5f92ac86cf0d4449c9cf4e5feb93e1ce879eec24dc787c5c
                              • Opcode Fuzzy Hash: 0d6cf7477a58d6d6f3409d710de5dc5946cafaeba15b5bd8d8a98d6b96844f90
                              • Instruction Fuzzy Hash: 8DA2F374A012198FDB14DF68C994AD9B7B2FF99300F5082E9D949AB360DB70AEC5CF41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 058B6BD8 Relevance: .8, Instructions: 850COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036379619.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_58b0000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 730b98026e616a629db70cb4b5796373a9397a0374214421c33ec9cf7f7a8e44
                              • Instruction ID: 88797973fb2a7de3c6c7873eec7d44521898a4b892edfbb5cafb71dcf1dc8d19
                              • Opcode Fuzzy Hash: 730b98026e616a629db70cb4b5796373a9397a0374214421c33ec9cf7f7a8e44
                              • Instruction Fuzzy Hash: E592F374A012198FDB14DF68C894AD9B7B2FF99300F5082E9D949AB360DB70AEC5CF41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 08A60C90 Relevance: .4, Instructions: 354COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2037818471.0000000008A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a60000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 65af076b063fdfff380467f7bf02b670aae7df8d5641ad836ef597822047e39c
                              • Instruction ID: 44e5258596743a355b832d8b35b6bd5ab0e135fccdd78118b27b2cfb7ec6f86c
                              • Opcode Fuzzy Hash: 65af076b063fdfff380467f7bf02b670aae7df8d5641ad836ef597822047e39c
                              • Instruction Fuzzy Hash: A2D1AB30B00A018FDB15EB79C550B6EB7FAAFC8612F14446DD10AEBA94DB39E841CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 058BD2F8 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036379619.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_58b0000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c22bfb8225ae0eda5275a9c72950827a63f8b8c5ee992a120f70e3416d6d3567
                              • Instruction ID: c4732ac8ac41e4b7495680b9e4161af6646fae03411bdb9f8b5eff74fd6ea296
                              • Opcode Fuzzy Hash: c22bfb8225ae0eda5275a9c72950827a63f8b8c5ee992a120f70e3416d6d3567
                              • Instruction Fuzzy Hash: 9A11DE71D056188BE718CFABC9052DDBAF7AFC8300F04C03AD919AB658EB7409468B50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0197ADA8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 609 197ada8-197adb7 610 197ade3-197ade7 609->610 611 197adb9-197adc6 call 197a0cc 609->611 612 197adfb-197ae3c 610->612 613 197ade9-197adf3 610->613 618 197addc 611->618 619 197adc8 611->619 620 197ae3e-197ae46 612->620 621 197ae49-197ae57 612->621 613->612 618->610 664 197adce call 197b030 619->664 665 197adce call 197b040 619->665 620->621 622 197ae7b-197ae7d 621->622 623 197ae59-197ae5e 621->623 626 197ae80-197ae87 622->626 627 197ae60-197ae67 call 197a0d8 623->627 628 197ae69 623->628 624 197add4-197add6 624->618 625 197af18-197afd8 624->625 659 197afe0-197b00b GetModuleHandleW 625->659 660 197afda-197afdd 625->660 629 197ae94-197ae9b 626->629 630 197ae89-197ae91 626->630 631 197ae6b-197ae79 627->631 628->631 633 197ae9d-197aea5 629->633 634 197aea8-197aeaa call 197a0e8 629->634 630->629 631->626 633->634 638 197aeaf-197aeb1 634->638 640 197aeb3-197aebb 638->640 641 197aebe-197aec3 638->641 640->641 642 197aec5-197aecc 641->642 643 197aee1-197aeee 641->643 642->643 645 197aece-197aede call 197a0f8 call 197a108 642->645 649 197af11-197af17 643->649 650 197aef0-197af0e 643->650 645->643 650->649 661 197b014-197b028 659->661 662 197b00d-197b013 659->662 660->659 662->661 664->624 665->624
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0197AFFE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032902694.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1970000_SWIFT.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 1584647977491a857bac06b331bdeb19c0a3d8c2101ae51a237a640e7e1336d4
                              • Instruction ID: a2471fb9a98effc33810f32a60599ee0cd851991faad0f4a142e5ff158494e3d
                              • Opcode Fuzzy Hash: 1584647977491a857bac06b331bdeb19c0a3d8c2101ae51a237a640e7e1336d4
                              • Instruction Fuzzy Hash: CA715470A00B058FE724DF2AD44479ABBF5FF88301F048A2DD49AD7A50DB35E949CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 019744B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 666 19744b4-19759d9 CreateActCtxA 669 19759e2-1975a3c 666->669 670 19759db-19759e1 666->670 677 1975a3e-1975a41 669->677 678 1975a4b-1975a4f 669->678 670->669 677->678 679 1975a51-1975a5d 678->679 680 1975a60 678->680 679->680 682 1975a61 680->682 682->682
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 019759C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032902694.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1970000_SWIFT.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: bd5a10dbf012515ad5e838fcc7921320d7b021338c0d8d83cc0d1dbda59b9672
                              • Instruction ID: 17ee3d0aa7487a5e4ae1c277d83b613c43e44878563938ab2b05ddd63e0b6a2e
                              • Opcode Fuzzy Hash: bd5a10dbf012515ad5e838fcc7921320d7b021338c0d8d83cc0d1dbda59b9672
                              • Instruction Fuzzy Hash: 9941E2B0C0071DCBDB24DFAAC984B9DBBF5BF49304F60806AD408AB255DB756946CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0197590C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 683 197590c-197590e 684 197591c-19759d9 CreateActCtxA 683->684 686 19759e2-1975a3c 684->686 687 19759db-19759e1 684->687 694 1975a3e-1975a41 686->694 695 1975a4b-1975a4f 686->695 687->686 694->695 696 1975a51-1975a5d 695->696 697 1975a60 695->697 696->697 699 1975a61 697->699 699->699
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 019759C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032902694.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1970000_SWIFT.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: cac34ba5b575fde0e782351cdd73f2344853ccc83c2afcbe196a17a879471eab
                              • Instruction ID: 60cef8ca831878ce27e2acb0d35a2d303beeadc6ef3dc0d820b1559d9a0e48cd
                              • Opcode Fuzzy Hash: cac34ba5b575fde0e782351cdd73f2344853ccc83c2afcbe196a17a879471eab
                              • Instruction Fuzzy Hash: 8441E2B0C00719CADB24DFAAC984BDDBBF5BF49304F20816AD418AB255DB756946CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 058B4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 700 58b4040-58b407c 701 58b412c-58b414c 700->701 702 58b4082-58b4087 700->702 708 58b414f-58b415c 701->708 703 58b40da-58b4112 CallWindowProcW 702->703 704 58b4089-58b40c0 702->704 706 58b411b-58b412a 703->706 707 58b4114-58b411a 703->707 710 58b40c9-58b40d8 704->710 711 58b40c2-58b40c8 704->711 706->708 707->706 710->708 711->710
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 058B4101
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036379619.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_58b0000_SWIFT.jbxd
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: 3b86e09d9a89754b3aa72e21d9f90b0c9c95021eb663984b178ac9aa5e173122
                              • Instruction ID: d627885762c191369b4e1d50f92979654f0d8ac3486b41380cd688aa72b221b0
                              • Opcode Fuzzy Hash: 3b86e09d9a89754b3aa72e21d9f90b0c9c95021eb663984b178ac9aa5e173122
                              • Instruction Fuzzy Hash: C14129B4900309CFDB14DF99C449AAABBFAFB89314F248459D919A7321D374A845CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0197D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 714 197d27c-197d724 DuplicateHandle 716 197d726-197d72c 714->716 717 197d72d-197d74a 714->717 716->717
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0197D656,?,?,?,?,?), ref: 0197D717
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032902694.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1970000_SWIFT.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 184d97d222fdbd63b3f188b3f3888b8151904575a77c1980d4224fb0cf2a8d55
                              • Instruction ID: db18b2e4d499a498c684a90ef0634e920f61c2639ca479033bc439e7c225966d
                              • Opcode Fuzzy Hash: 184d97d222fdbd63b3f188b3f3888b8151904575a77c1980d4224fb0cf2a8d55
                              • Instruction Fuzzy Hash: 4921E3B59002489FDB10CFAAD584AEEFFF9EF48310F14841AE918A7310D378A954CFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0197D689 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 720 197d689-197d724 DuplicateHandle 721 197d726-197d72c 720->721 722 197d72d-197d74a 720->722 721->722
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0197D656,?,?,?,?,?), ref: 0197D717
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032902694.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1970000_SWIFT.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 88586f421893eed7e01e9b5d037932f02168ebc86af55d3b052e9c2399494f7b
                              • Instruction ID: d6a9c20d52bf2da818607f72936d69d4ccf78caab2c9e67b8d09b792033ec65b
                              • Opcode Fuzzy Hash: 88586f421893eed7e01e9b5d037932f02168ebc86af55d3b052e9c2399494f7b
                              • Instruction Fuzzy Hash: 7F21B3B59002499FDB10CFA9D585AEEFBF5FF48314F14841AE918A3250D378A954CFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0197A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 725 197a130-197b260 727 197b262-197b265 725->727 728 197b268-197b297 LoadLibraryExW 725->728 727->728 729 197b2a0-197b2bd 728->729 730 197b299-197b29f 728->730 730->729
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0197B079,00000800,00000000,00000000), ref: 0197B28A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032902694.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1970000_SWIFT.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 3bd806924d290ba47b5ccde40e428787075e8248c5179e94cc63f191e256980f
                              • Instruction ID: ec22bc327ea7e5c2e3d4242a7834274bddd14a03e01a3e12490d357456105e26
                              • Opcode Fuzzy Hash: 3bd806924d290ba47b5ccde40e428787075e8248c5179e94cc63f191e256980f
                              • Instruction Fuzzy Hash: 7B1126B69003088FDB10CF9AD448BEEFBF8EF58310F10842AD919A7210C379A545CFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0197B219 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 733 197b219-197b260 734 197b262-197b265 733->734 735 197b268-197b297 LoadLibraryExW 733->735 734->735 736 197b2a0-197b2bd 735->736 737 197b299-197b29f 735->737 737->736
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0197B079,00000800,00000000,00000000), ref: 0197B28A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032902694.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1970000_SWIFT.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 80c5c3b75a90b03bf74ce069bf94edb8c52ce4eae58f2ff1c3283301b3753ef4
                              • Instruction ID: 0a0ba1ad537929e15c81eec0d81082d86cace0f091dbaf8f6d8be04f1af8c247
                              • Opcode Fuzzy Hash: 80c5c3b75a90b03bf74ce069bf94edb8c52ce4eae58f2ff1c3283301b3753ef4
                              • Instruction Fuzzy Hash: 181112B68003488FDB10CFAAD848B9EFBF8EF48310F10842AD919A7210C779A545CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 08A60C34 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 740 8a60c34-8a61dcd FindCloseChangeNotification 742 8a61dd6-8a61dfe 740->742 743 8a61dcf-8a61dd5 740->743 743->742
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,08A61C19,?,?), ref: 08A61DC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2037818471.0000000008A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a60000_SWIFT.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 7354462bad37a670fb8620cc60352d4930be1bb299674ed6012feb0bf975fbd6
                              • Instruction ID: 1769abea3d25589472164432676de535ef898d6d625f3aee8616fb4e15cb6793
                              • Opcode Fuzzy Hash: 7354462bad37a670fb8620cc60352d4930be1bb299674ed6012feb0bf975fbd6
                              • Instruction Fuzzy Hash: 301125B1800349CFCB20DF9AC545BEEBBF4EB49320F108819D958A7640D738A984CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 08A61D60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,08A61C19,?,?), ref: 08A61DC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2037818471.0000000008A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A60000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a60000_SWIFT.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 1a0356633aa1ef79cb24d5303541ad104c56d41912d7ef1bb610d842560b3b43
                              • Instruction ID: 62b353b00c19abeded6dddea41a7746f7c4e7fc946fd4adc74abd3fbaded823e
                              • Opcode Fuzzy Hash: 1a0356633aa1ef79cb24d5303541ad104c56d41912d7ef1bb610d842560b3b43
                              • Instruction Fuzzy Hash: 001125B58006498FCB20DFAAD545BEEBFF4EB48320F208819D558A7650D378A545CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0197AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0197AFFE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032902694.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1970000_SWIFT.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 567b402e2540d87a49c4b817ccda50e65b038ca055af2201a002e11dd9b0b039
                              • Instruction ID: 15b8d624b0aed1248048976b664b4c2ed0c30d069f7fc35b7bf17854549ca940
                              • Opcode Fuzzy Hash: 567b402e2540d87a49c4b817ccda50e65b038ca055af2201a002e11dd9b0b039
                              • Instruction Fuzzy Hash: DF1110B5C003498FDB10CF9AC444ADEFBF8EF88314F10842AD529A7210D379A545CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0191D3D8 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032609126.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_191d000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ffe9b191e5b3a3d4da2b84d8ea85293d688b82e409c12646b594ae75cb0c2a9d
                              • Instruction ID: 7db8f4cbbd0967b1ed2f5e6fadda333d15183c1d33fbc88bc82b1040da6a4f8e
                              • Opcode Fuzzy Hash: ffe9b191e5b3a3d4da2b84d8ea85293d688b82e409c12646b594ae75cb0c2a9d
                              • Instruction Fuzzy Hash: CA212771140208DFDB05DF54D9C4F56BFA9FB88714F20C569D90D0B29AC33AE486C6A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0192D1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032665460.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_192d000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 91dafda37257fca8817612610c8fcb8f38de922a33fe9e12750327fd66140456
                              • Instruction ID: f33e75d5d04504fa9d29d647788ffe59594ec17e4882cbc86b6d26b0899ce4e0
                              • Opcode Fuzzy Hash: 91dafda37257fca8817612610c8fcb8f38de922a33fe9e12750327fd66140456
                              • Instruction Fuzzy Hash: A8210771504204DFDB05DF98D5C0F26BBA9FB85324F20C96DD90D4B25AC33AD406CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0192D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032665460.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_192d000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4b063863b70b754d7e6039db54a5d926d74ba985b19a7648db69284972eaf475
                              • Instruction ID: eafc5501b444e5b4b368f7d4fff45d9a2e4a70133b7a44eb25e484a42db078f1
                              • Opcode Fuzzy Hash: 4b063863b70b754d7e6039db54a5d926d74ba985b19a7648db69284972eaf475
                              • Instruction Fuzzy Hash: 11210371584240DFDB15DF68D580F26BFA9EB84314F20C969D90D0B26AC33ED406CA61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0192D006 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032665460.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_192d000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b88f8afb25f677365eb45f89546ed7cee8e90eb0124f103fbceb5c5aee87d7ab
                              • Instruction ID: e0bc834082bbfdc00e9cdc6a1c8f031976774fa82353b54eea1613cb77e860af
                              • Opcode Fuzzy Hash: b88f8afb25f677365eb45f89546ed7cee8e90eb0124f103fbceb5c5aee87d7ab
                              • Instruction Fuzzy Hash: 26219F755493808FDB13CF24D994715BFB1EB46214F28C5EAD8498F6A7C33A980ACB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0191D3D3 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032609126.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_191d000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                              • Instruction ID: b2942cc1c5f79c6832d2079352b2c4669e7fec20b13bc49723ce4c72eda7c56d
                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                              • Instruction Fuzzy Hash: 3E112972444244CFDB16CF44D5C4B56BFB1FB84314F24C6A9D9090B29BC33AD456CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0192D1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032665460.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_192d000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                              • Instruction ID: 999536cfe1613a39dc0fedb7889d9f3852b805345ccbce775490f8d1c324abde
                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                              • Instruction Fuzzy Hash: 5911BB75504280DFDB02CF54C5C4B15BFA1FB85224F24C6A9D8494B29AC33AD40ACBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0191D745 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032609126.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_191d000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7af824aae57763bb3f939c186401cdd9e65db25de66a52bb85a33d6c0f227615
                              • Instruction ID: f42adeeae857541a75ac70aeb1fbb71eb87afa13d0c470da461de932c5d9342f
                              • Opcode Fuzzy Hash: 7af824aae57763bb3f939c186401cdd9e65db25de66a52bb85a33d6c0f227615
                              • Instruction Fuzzy Hash: 6E01FCB10043889AE7105A99CD8CB67BFDCDF45361F18C929ED0C0A24AD2799481CA71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0191D744 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032609126.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_191d000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7c9aec9a4279cf7ddd966850fbefef0aff7bb810a1277cb560eced306eff3adb
                              • Instruction ID: 0938ccade2b6c83f97447f7c197ac290bf6589f2aacd39c0968dc6d593e0719c
                              • Opcode Fuzzy Hash: 7c9aec9a4279cf7ddd966850fbefef0aff7bb810a1277cb560eced306eff3adb
                              • Instruction Fuzzy Hash: 08F0C2B10043849AE7118E5AC888B62FFECEF45235F18C45AED4C0B28AC2799880CAB0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 058BDCB7 Relevance: 4.0, Strings: 3, Instructions: 272COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036379619.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_58b0000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID: TJbq$Te]q$xb`q
                              • API String ID: 0-1930611328
                              • Opcode ID: 04ae426ca852d4444579243d8209d6994b51157f61c546ec72f2e7a79e6c372f
                              • Instruction ID: cd10c491b93dc17f74324df7cb9e74b6a4fa375c4c1baf0c51ad585861e92250
                              • Opcode Fuzzy Hash: 04ae426ca852d4444579243d8209d6994b51157f61c546ec72f2e7a79e6c372f
                              • Instruction Fuzzy Hash: 73D18575E016188FDB58CF6AD9546D9BBF6BFC8300F14C1AAD808AB324DB309E858F50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 058BDA20 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036379619.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_58b0000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4']q
                              • API String ID: 0-1259897404
                              • Opcode ID: 9ffd6aacf56d67d55184dfd63e45ee6e1edd7a669aac4479df76e5c4b09cc05e
                              • Instruction ID: ab7fe5fc146c91215580d5ba6f8b420f884f03adc503b4c9b569684f34307bcc
                              • Opcode Fuzzy Hash: 9ffd6aacf56d67d55184dfd63e45ee6e1edd7a669aac4479df76e5c4b09cc05e
                              • Instruction Fuzzy Hash: 386101B0A102098FD748DF6AE9516AABFF6FFC8300F14D526D50497268DB78A945CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 058BDA30 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036379619.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_58b0000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4']q
                              • API String ID: 0-1259897404
                              • Opcode ID: b66d0d5fe6024d6aa6cde55fdd4b5b61f7028b225d1bc14ad372c721607e8f66
                              • Instruction ID: f7f49694ecdcf3c16f0128888b825272c7b0ddafcdd8c068be8a381d475fe3c4
                              • Opcode Fuzzy Hash: b66d0d5fe6024d6aa6cde55fdd4b5b61f7028b225d1bc14ad372c721607e8f66
                              • Instruction Fuzzy Hash: A761F2709102098FD748DF6AE9516AABFF6FFC8300F14D52AD50497264EF78A945CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 058B0040 Relevance: .3, Instructions: 315COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036379619.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_58b0000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 951aebec55f299d9919e5fff3de19f0c34138e52c87ca2b2f3d4187be1e8ad65
                              • Instruction ID: 441d86ce5f806cd7883b38817fa9a0c04957434084886cb723d5c226c87f6a52
                              • Opcode Fuzzy Hash: 951aebec55f299d9919e5fff3de19f0c34138e52c87ca2b2f3d4187be1e8ad65
                              • Instruction Fuzzy Hash: CC12A2B1A097459AF330CF65E84C1893AB1BF85328BD24309D2656A6EDDBB8154FCFC4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0197D5BC Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2032902694.0000000001970000.00000040.00000800.00020000.00000000.sdmp, Offset: 01970000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1970000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5cb8dd94dc4674e4367a8eb2cd3df984cfc22f0ab5828e1e2833bd7e68bff579
                              • Instruction ID: dec490504dc5d2844b2d55d5ba5d666d991a6d5d3215fe24936962d5d9958a1a
                              • Opcode Fuzzy Hash: 5cb8dd94dc4674e4367a8eb2cd3df984cfc22f0ab5828e1e2833bd7e68bff579
                              • Instruction Fuzzy Hash: 90A18E32E0020A8FCF15DFB4D8449DEBBB6FF85301B15456AE91ABB265DB31E915CB80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 058B0006 Relevance: .2, Instructions: 233COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2036379619.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_58b0000_SWIFT.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd8c541d25c410e6722c4916a5f71fe12383032f2e7fef7b4105595344aa4cf5
                              • Instruction ID: 48870a6edfee5ae0b81722bc12c9f426fd11f6e16bc8dd183e131507e52d4e30
                              • Opcode Fuzzy Hash: fd8c541d25c410e6722c4916a5f71fe12383032f2e7fef7b4105595344aa4cf5
                              • Instruction Fuzzy Hash: 23C109B0A087459BE721CF24E8481897BB1BF85328F924309D2616B2EDDBB4154FCFC4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Execution Graph

                              Execution Coverage:11.8%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:3
                              Total number of Limit Nodes:0
                              execution_graph 28506 67ce268 28507 67ce2b6 GlobalMemoryStatusEx 28506->28507 28508 67ce2e6 28507->28508

                              Executed Functions

                              Function 030A9B30 Relevance: 2.9, Instructions: 2897COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc417e127e66d0261ab007c7e4e87be484599614825342ebf9111772bd839fc3
                              • Instruction ID: 440dbabb4314e7bb09c7849820877374a29e7188ad53851e160499a640bb4c5c
                              • Opcode Fuzzy Hash: bc417e127e66d0261ab007c7e4e87be484599614825342ebf9111772bd839fc3
                              • Instruction Fuzzy Hash: 9E63F931D10B1A8ADB51EB68C8405A9F7B1FF99300F15C79AE458BB121EB70AAD5CF81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030ACE78 Relevance: 2.3, Instructions: 2312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d496b5acaf0f0dadca4f86383158c1743e1f492b05e65f519a5be4edc03c57a3
                              • Instruction ID: 2d336bc29d9042d95f99504535b9242da065d558400c7868233219c15070107c
                              • Opcode Fuzzy Hash: d496b5acaf0f0dadca4f86383158c1743e1f492b05e65f519a5be4edc03c57a3
                              • Instruction Fuzzy Hash: 90332E31D10B198EDB11EFA8C8906ADF7B5FF99300F15C79AD458A7211EB70AAC5CB81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: \Vl
                              • API String ID: 0-682378881
                              • Opcode ID: d7c28e26d3ff92687cebfcfc60fc83edb0a07e24c31340e21f9c5dcf68195370
                              • Instruction ID: c7e2498cf0eedfa0d16898e1e5853931202f26e4ec8d3316e5b3b602be77e81e
                              • Opcode Fuzzy Hash: d7c28e26d3ff92687cebfcfc60fc83edb0a07e24c31340e21f9c5dcf68195370
                              • Instruction Fuzzy Hash: EE915A74E116099FDF50CFAED98179EBBF2AF88304F188129E419AB354EB749845CB81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A9380 Relevance: .6, Instructions: 610COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d23c2fc9210821d17d92a1d306a3bcc09f97d0ac2212d42d0db06e6a70cf35cf
                              • Instruction ID: 28a23921213b30d72e02e7df6b5b0b6631d5f0984f342fe571c20a7db16ece17
                              • Opcode Fuzzy Hash: d23c2fc9210821d17d92a1d306a3bcc09f97d0ac2212d42d0db06e6a70cf35cf
                              • Instruction Fuzzy Hash: 9A226C35B016098FDB54DFA8E984AADBBF6EF88310F148569E809DB394DB34DC41CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A4A98 Relevance: .3, Instructions: 266COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0994e99d968197b12c89c1225232bbe1d1ac9117210902e13ce290d7190d94e
                              • Instruction ID: b4403f0d606858c50fce06c754a8b1ca4e7b75b981e0e71e2f03350094540f50
                              • Opcode Fuzzy Hash: f0994e99d968197b12c89c1225232bbe1d1ac9117210902e13ce290d7190d94e
                              • Instruction Fuzzy Hash: ECB16E74E116098FDB50CFEED88179DFBF2AF88314F188529D419AB354EBB49845CB81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A4805 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2093 30a4805-30a480e 2094 30a4810-30a4814 2093->2094 2095 30a4815-30a489c 2093->2095 2094->2095 2098 30a489e-30a48a9 2095->2098 2099 30a48e6-30a48e8 2095->2099 2098->2099 2100 30a48ab-30a48b7 2098->2100 2101 30a48ea-30a4902 2099->2101 2102 30a48da-30a48e4 2100->2102 2103 30a48b9-30a48c3 2100->2103 2108 30a494c-30a494e 2101->2108 2109 30a4904-30a490f 2101->2109 2102->2101 2104 30a48c7-30a48d6 2103->2104 2105 30a48c5 2103->2105 2104->2104 2107 30a48d8 2104->2107 2105->2104 2107->2102 2110 30a4950-30a4962 2108->2110 2109->2108 2111 30a4911-30a491d 2109->2111 2118 30a4969-30a4995 2110->2118 2112 30a491f-30a4929 2111->2112 2113 30a4940-30a494a 2111->2113 2115 30a492b 2112->2115 2116 30a492d-30a493c 2112->2116 2113->2110 2115->2116 2116->2116 2117 30a493e 2116->2117 2117->2113 2119 30a499b-30a49a9 2118->2119 2120 30a49ab-30a49b1 2119->2120 2121 30a49b2-30a4a0f 2119->2121 2120->2121 2128 30a4a1f-30a4a23 2121->2128 2129 30a4a11-30a4a15 2121->2129 2131 30a4a33-30a4a37 2128->2131 2132 30a4a25-30a4a29 2128->2132 2129->2128 2130 30a4a17-30a4a1a call 30a0ab8 2129->2130 2130->2128 2135 30a4a39-30a4a3d 2131->2135 2136 30a4a47-30a4a4b 2131->2136 2132->2131 2134 30a4a2b-30a4a2e call 30a0ab8 2132->2134 2134->2131 2135->2136 2140 30a4a3f 2135->2140 2137 30a4a5b 2136->2137 2138 30a4a4d-30a4a51 2136->2138 2142 30a4a5c 2137->2142 2138->2137 2141 30a4a53 2138->2141 2140->2136 2141->2137 2142->2142
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: \Vl$\Vl
                              • API String ID: 0-415357090
                              • Opcode ID: f5d81b7808db5ef108b255bcd7a1209574f8a87dc854522d67b77888554a4e3b
                              • Instruction ID: 5af50f9eb961946b40cd7f05a5eb44c9a2a8b04875de3e4d5e9a68ab5ccdb02c
                              • Opcode Fuzzy Hash: f5d81b7808db5ef108b255bcd7a1209574f8a87dc854522d67b77888554a4e3b
                              • Instruction Fuzzy Hash: 5E717A74D05649DFDB10CFEEE88179EBBF1AF88304F188129E418AB354EBB49841CB95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2143 30a4810-30a489c 2147 30a489e-30a48a9 2143->2147 2148 30a48e6-30a48e8 2143->2148 2147->2148 2149 30a48ab-30a48b7 2147->2149 2150 30a48ea-30a4902 2148->2150 2151 30a48da-30a48e4 2149->2151 2152 30a48b9-30a48c3 2149->2152 2157 30a494c-30a494e 2150->2157 2158 30a4904-30a490f 2150->2158 2151->2150 2153 30a48c7-30a48d6 2152->2153 2154 30a48c5 2152->2154 2153->2153 2156 30a48d8 2153->2156 2154->2153 2156->2151 2159 30a4950-30a4995 2157->2159 2158->2157 2160 30a4911-30a491d 2158->2160 2168 30a499b-30a49a9 2159->2168 2161 30a491f-30a4929 2160->2161 2162 30a4940-30a494a 2160->2162 2164 30a492b 2161->2164 2165 30a492d-30a493c 2161->2165 2162->2159 2164->2165 2165->2165 2166 30a493e 2165->2166 2166->2162 2169 30a49ab-30a49b1 2168->2169 2170 30a49b2-30a4a0f 2168->2170 2169->2170 2177 30a4a1f-30a4a23 2170->2177 2178 30a4a11-30a4a15 2170->2178 2180 30a4a33-30a4a37 2177->2180 2181 30a4a25-30a4a29 2177->2181 2178->2177 2179 30a4a17-30a4a1a call 30a0ab8 2178->2179 2179->2177 2184 30a4a39-30a4a3d 2180->2184 2185 30a4a47-30a4a4b 2180->2185 2181->2180 2183 30a4a2b-30a4a2e call 30a0ab8 2181->2183 2183->2180 2184->2185 2189 30a4a3f 2184->2189 2186 30a4a5b 2185->2186 2187 30a4a4d-30a4a51 2185->2187 2191 30a4a5c 2186->2191 2187->2186 2190 30a4a53 2187->2190 2189->2185 2190->2186 2191->2191
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: \Vl$\Vl
                              • API String ID: 0-415357090
                              • Opcode ID: 1fa215d11c5f612720ac7e93750c709335b7c619808a875a2df9429ae775983d
                              • Instruction ID: fd9f00d3c70664c17baf98a18517edb18293bad2f559043fc6851ec92c87e802
                              • Opcode Fuzzy Hash: 1fa215d11c5f612720ac7e93750c709335b7c619808a875a2df9429ae775983d
                              • Instruction Fuzzy Hash: 75717C74E056099FDB10CFEEE88179DBBF2AF88314F188129E414AB354EBB49841CB95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A6EDF Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2265 30a6edf-30a6f4a call 30a6c48 2274 30a6f4c-30a6f65 call 30a6774 2265->2274 2275 30a6f66-30a6f72 2265->2275 2279 30a6f79-30a6f7a 2275->2279 2280 30a6f74 2275->2280 2281 30a6f7c 2279->2281 2282 30a6f81-30a6f94 2279->2282 2280->2279 2281->2282 2284 30a6f96-30a6f99 2282->2284 2285 30a6f9b 2284->2285 2286 30a6fa9-30a6fac 2284->2286 2311 30a6f9b call 30a78c9 2285->2311 2312 30a6f9b call 30a78d9 2285->2312 2313 30a6f9b call 30a78cd 2285->2313 2314 30a6f9b call 30a7910 2285->2314 2315 30a6f9b call 30a78d1 2285->2315 2316 30a6f9b call 30a78c5 2285->2316 2317 30a6f9b call 30a78d5 2285->2317 2287 30a6fe8-30a6feb 2286->2287 2288 30a6fae-30a6fe3 2286->2288 2290 30a701e-30a7021 2287->2290 2291 30a6fed-30a7001 2287->2291 2288->2287 2289 30a6fa1-30a6fa4 2289->2286 2292 30a7023-30a702a 2290->2292 2293 30a7035-30a7037 2290->2293 2299 30a7003-30a7005 2291->2299 2300 30a7007 2291->2300 2295 30a70f3-30a70f9 2292->2295 2296 30a7030 2292->2296 2297 30a7039 2293->2297 2298 30a703e-30a7041 2293->2298 2296->2293 2297->2298 2298->2284 2301 30a7047-30a7056 2298->2301 2302 30a700a-30a7019 2299->2302 2300->2302 2305 30a7058-30a705b 2301->2305 2306 30a7080-30a7095 2301->2306 2302->2290 2308 30a7063-30a707e 2305->2308 2306->2295 2308->2305 2308->2306 2311->2289 2312->2289 2313->2289 2314->2289 2315->2289 2316->2289 2317->2289
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR]q$LR]q
                              • API String ID: 0-3917262905
                              • Opcode ID: edba6d3e57640c722ea8cf4b57e4e9cd9ab5042ddb1bf50187d4f798d09ee370
                              • Instruction ID: 05ec37cb1eecac781505ed51f69c332b721c0fae083363118d1897d75f6f2e6c
                              • Opcode Fuzzy Hash: edba6d3e57640c722ea8cf4b57e4e9cd9ab5042ddb1bf50187d4f798d09ee370
                              • Instruction Fuzzy Hash: DA51D130A01649DFDB15DFB8D854B9EB7B6EF85700F18856AE405EB380DB71D842CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067CD574 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE(8B5505FB), ref: 067CE2D7
                              Memory Dump Source
                              • Source File: 00000003.00000002.3249378067.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_67c0000_MSBuild.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID:
                              • API String ID: 1890195054-0
                              • Opcode ID: fa682bd89dc8ec0d7015f73e289461d8a35feb9754a6772efe559229001e71de
                              • Instruction ID: 01f2737e5344359d403d70aac6d2872d376bdfd943dfb313f190f31be82aafd1
                              • Opcode Fuzzy Hash: fa682bd89dc8ec0d7015f73e289461d8a35feb9754a6772efe559229001e71de
                              • Instruction Fuzzy Hash: B511F4B1C0065A9BDB10DF9AC544BAEFBF4AB48320F10816AE518A7240D378A944CFE5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067CE268 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE(8B5505FB), ref: 067CE2D7
                              Memory Dump Source
                              • Source File: 00000003.00000002.3249378067.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_67c0000_MSBuild.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID:
                              • API String ID: 1890195054-0
                              • Opcode ID: c7b9c624f476ca39b59ca1cc36dfe8fce3c404914bbb325943ff9c12ce4f3ed6
                              • Instruction ID: 7b7c950d60368f0abbe56c56ee86952d268f57ed528138e496eef404255b92b3
                              • Opcode Fuzzy Hash: c7b9c624f476ca39b59ca1cc36dfe8fce3c404914bbb325943ff9c12ce4f3ed6
                              • Instruction Fuzzy Hash: DE1114B1C0065A9BDB10DFAAC5457EEFBF4BF08320F15816AD418B7240D778A944CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A3E74 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: \Vl
                              • API String ID: 0-682378881
                              • Opcode ID: 9cd66b2e8f46ed9ed21a61f372e0ecedef2a2df9db5959b4955438f484e99940
                              • Instruction ID: 08bd19900a740af27e9b3304985fcf6aa2759e26f512a5b0fc01e127411f651d
                              • Opcode Fuzzy Hash: 9cd66b2e8f46ed9ed21a61f372e0ecedef2a2df9db5959b4955438f484e99940
                              • Instruction Fuzzy Hash: 04A14874E016099FDB50CFEEE98179DFBF2AF88314F188129E418AB354EB749845CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030AF3AD Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: PH]q
                              • API String ID: 0-3168235125
                              • Opcode ID: 0b1972f364a6ead7d06dc2f01a1d7bae87956e202de08bfd9bc3f6b78f61fe0b
                              • Instruction ID: 8f2202a79202ab1f912cba88ec7194449d56757d60ddad093cdebf292d30e9cc
                              • Opcode Fuzzy Hash: 0b1972f364a6ead7d06dc2f01a1d7bae87956e202de08bfd9bc3f6b78f61fe0b
                              • Instruction Fuzzy Hash: 8431E130B042028FCB55ABB8E95466E7BF7AF89640F184578D006DB385DF39DC46CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030AF3C0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: PH]q
                              • API String ID: 0-3168235125
                              • Opcode ID: 04647c8313614a61b3e56e34383a1ad50795379af484b77d7480f83b862a61ec
                              • Instruction ID: e02433950ed6542e544c23c3435d03e5566f169f956d5dd8f0c9ce36452644d3
                              • Opcode Fuzzy Hash: 04647c8313614a61b3e56e34383a1ad50795379af484b77d7480f83b862a61ec
                              • Instruction Fuzzy Hash: B931E1307042028FCB58ABB8E95466F7BE7AF89640F144578D006DB384DF39DC46C7A5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A6F80 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR]q
                              • API String ID: 0-3081347316
                              • Opcode ID: 063d49b672b4e7f162395bbc7153fc01bb8d4d0dbc36eb5d172ce278436497bd
                              • Instruction ID: fdcc1b2cc85c1e4fae4748a55b2f210aa9e7421edb12b001ec84a06a88cdfbec
                              • Opcode Fuzzy Hash: 063d49b672b4e7f162395bbc7153fc01bb8d4d0dbc36eb5d172ce278436497bd
                              • Instruction Fuzzy Hash: A2318E30E11609DBDB14CFE8D844B9EB7B6FF85710F24C569E805EB240EBB1E8428B51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A7910 Relevance: .6, Instructions: 569COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b78d3bb0a9dbb3fe18bbebff3d1852ffab57b98df914d0dfc8b0ae1d6392f7d3
                              • Instruction ID: 60a345c8b2d55f76edd8c3eb8c49a91cdc27c9c511d0e3300d09a908f73ad07c
                              • Opcode Fuzzy Hash: b78d3bb0a9dbb3fe18bbebff3d1852ffab57b98df914d0dfc8b0ae1d6392f7d3
                              • Instruction Fuzzy Hash: 65229130710202DFDB19AE7CF894A5936AAFB85B05B148A79E401CB364CF79DC47DBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A4A8C Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1fcd38a38d1bb51c56372e208deb800972091130708d4ea031a1a250bfa4bb0c
                              • Instruction ID: c49c5f06802b6e0138ff2a0d65fe65f4176396c153f503cde66e6c1f1aa643ce
                              • Opcode Fuzzy Hash: 1fcd38a38d1bb51c56372e208deb800972091130708d4ea031a1a250bfa4bb0c
                              • Instruction Fuzzy Hash: 65B16D74E116098FDB50CFEEE88179DFBF1AF88314F188529D418AB354EBB49885CB81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A936C Relevance: .2, Instructions: 241COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 85d0c9fbd33821a3d0db10d2dd11b61e94a73a00422064278b26760dd336ad24
                              • Instruction ID: 4131003799bda25f96f7fe5cbd8ff7decda4c66ffdda62f663315ebbac13a4cb
                              • Opcode Fuzzy Hash: 85d0c9fbd33821a3d0db10d2dd11b61e94a73a00422064278b26760dd336ad24
                              • Instruction Fuzzy Hash: 67913D35B01608DFDB54DBA8E984AADBBF6EF88310F148569E805D7364DB35EC42CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A6CE4 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5eb4463811e5d5906af656a5f58a21203ed14775122a715af1d7e445f067709
                              • Instruction ID: ede82cecf4276886cc6c6554f54ab3b10569bcef26e88e1de02a78e169486f73
                              • Opcode Fuzzy Hash: d5eb4463811e5d5906af656a5f58a21203ed14775122a715af1d7e445f067709
                              • Instruction Fuzzy Hash: 85510070E016188FDB18CFA9D885B9DBBF1BF48314F188429E819BB394D775A844CB95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A6CF0 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a8cd33bfbb9372be30fb7684a6757198965d2e5199eb8047d06bf8b916f587d7
                              • Instruction ID: 106f43ce1f44a36a08cfe33fcd6b7fc0575cc94efe8a18fdd25dfb9e2591b538
                              • Opcode Fuzzy Hash: a8cd33bfbb9372be30fb7684a6757198965d2e5199eb8047d06bf8b916f587d7
                              • Instruction Fuzzy Hash: 575102B4D016188FDB18CFA9D885B9DFBF1BF48314F188129E819BB390D779A844CB95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A111B Relevance: .1, Instructions: 119COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4b5962bf3e314ce75cc6c163d8315298607bb6951fd443d6e9de75d4996f0f20
                              • Instruction ID: e9bf00952ee016d1f3ec12954ad72a900cd17a18a9b0a02a4e9785c4d8536c12
                              • Opcode Fuzzy Hash: 4b5962bf3e314ce75cc6c163d8315298607bb6951fd443d6e9de75d4996f0f20
                              • Instruction Fuzzy Hash: 7751E671302341DFCB09DF2CFE89A487B6DEB55344704A1A8D0055B2BADB38AD0ADFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A1138 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2952305a68dc2d30fefca66b4fe9e44a3e967688fc7d6e0cf18c82d67654305e
                              • Instruction ID: d2226f6d6ca17e416464b12949f21737f6ca6429ba8e2c9731ca2399a876274e
                              • Opcode Fuzzy Hash: 2952305a68dc2d30fefca66b4fe9e44a3e967688fc7d6e0cf18c82d67654305e
                              • Instruction Fuzzy Hash: B551A571302345DFCB19DF2CFE88A487B6DEB55344300A1A9D0455B2BADB386D1ADFA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A96E8 Relevance: .1, Instructions: 104COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1923fc50287c5458a72cb8b79de8f3c55f8d9c826ff81f18da49af4997ff26ea
                              • Instruction ID: 687c238b3c385f33f760322ea390d589b80afb8c947b80b1526083ecc42e9f96
                              • Opcode Fuzzy Hash: 1923fc50287c5458a72cb8b79de8f3c55f8d9c826ff81f18da49af4997ff26ea
                              • Instruction Fuzzy Hash: D0319334B0160A4BDFA0DEEDE98076FB7EAEB85611F240869D50ADB380DB34DC458792
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030AF271 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5dd8dee88a31413d508d3ce2a224e0518b187e5db26f761fc812bb0462765eee
                              • Instruction ID: c3482756f5c5dda7d750aa41150327db8ce059f983968dbc06de6d791406ac05
                              • Opcode Fuzzy Hash: 5dd8dee88a31413d508d3ce2a224e0518b187e5db26f761fc812bb0462765eee
                              • Instruction Fuzzy Hash: 6E319035E1060A8BDB09DFA9D89469EBBF6EF89300F148529E805E7350DB74EC42CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A26DD Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8320f7201611d0ec9a0fe3a0be182a16a52a7ad57884e0aecb7c136164a69b07
                              • Instruction ID: ef66d4bc949f80c59c7cd1ab818c0aafdb57a00bf49c27e8c556ddbf22f07dde
                              • Opcode Fuzzy Hash: 8320f7201611d0ec9a0fe3a0be182a16a52a7ad57884e0aecb7c136164a69b07
                              • Instruction Fuzzy Hash: E4410DB0D012089FDB14DFA9C484ADEBBF9FF48310F248429E809AB254DB35A945CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030AF280 Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9fd833d2fa6ddfeee8a5e69dbd0d2d860d39b74de9f0645499b779628506403c
                              • Instruction ID: bb54d41252b4e6cd601fd771950578b2d599f836f25311097a15a6657357b59d
                              • Opcode Fuzzy Hash: 9fd833d2fa6ddfeee8a5e69dbd0d2d860d39b74de9f0645499b779628506403c
                              • Instruction Fuzzy Hash: 03317E35A1060A8BDB19DFA9D894A9EB7F6BF89300F108529E806E7350DB74AC42CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A26E8 Relevance: .1, Instructions: 90COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 473479cf7f03e28195d7a942dbc7205435867c50ae7693278d83571b846f4b6a
                              • Instruction ID: 990463a1490645f094c919c5f113e7d91cad45b0a556b7d48a06ce94e733c19a
                              • Opcode Fuzzy Hash: 473479cf7f03e28195d7a942dbc7205435867c50ae7693278d83571b846f4b6a
                              • Instruction Fuzzy Hash: BF41FDB0D012489FDB14DFA9C580ADEBFF9FF48310F248429E809AB254DB75A945CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A9257 Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9820348713fd96e8184a84f395f0791ae941fcbc0a9563a4a78c4f924ccdb392
                              • Instruction ID: 310eda44f080972da1412b5a0671f28ee959ea0ec543c5ae0f4347356118e590
                              • Opcode Fuzzy Hash: 9820348713fd96e8184a84f395f0791ae941fcbc0a9563a4a78c4f924ccdb392
                              • Instruction Fuzzy Hash: FB31B335F0060A9BDB45CFA9E9946DEF7BAFF89300F148619E805AB240DB71D842CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A9268 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 892b57a50a0858cf1192f2bd4e9ec25a4d279caa25cde419d8cc5ae6c935ed35
                              • Instruction ID: 5a92d7243c0ac1a91999a32a7ea99cbb7bb3c8766f1dd0c3b0f6eae293860474
                              • Opcode Fuzzy Hash: 892b57a50a0858cf1192f2bd4e9ec25a4d279caa25cde419d8cc5ae6c935ed35
                              • Instruction Fuzzy Hash: 67218031F0060A9BDB45CFA9E49469EF7B6FF89300F14C659E805AB240DB759842CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A9158 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9ea7f1f1af3988f15c2e5ef38f9bf597b58e7e19580f010cfce0179f3cbaf0f6
                              • Instruction ID: 2ae3a6cd1cafe22f52d8f5ecca08213e9c3fdce379644d2dc4c125fdc121e677
                              • Opcode Fuzzy Hash: 9ea7f1f1af3988f15c2e5ef38f9bf597b58e7e19580f010cfce0179f3cbaf0f6
                              • Instruction Fuzzy Hash: F121A430F056099BCB15CFADD8549DEF7F5AF89300F248559E815BB340DB709946CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A169F Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0fd0a6a7dc5f788080d87b8412a04c13fa189abddcdad8a1fab95bffcf97891
                              • Instruction ID: 7b819fff050c2f8593fcdcc8b5806abf8fea63a22b6ffa856b71673d25a67674
                              • Opcode Fuzzy Hash: f0fd0a6a7dc5f788080d87b8412a04c13fa189abddcdad8a1fab95bffcf97891
                              • Instruction Fuzzy Hash: 0B21D3743006014BDB59EA6CF888B5E37AEEB49385F147661D40ACB265DB38DC458B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A1878 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dae19d1231f4d6805ad3a5f2d921f38b67da0ec051ef2c26ca662f377ebb1b4e
                              • Instruction ID: a26f65f84529af599b7aa73341d9c671810a94611b3993d0d5b7280cc75e5d69
                              • Opcode Fuzzy Hash: dae19d1231f4d6805ad3a5f2d921f38b67da0ec051ef2c26ca662f377ebb1b4e
                              • Instruction Fuzzy Hash: 8521AD30B06655CFDB68DBACE5146EEB7F6AF89200F1404B9C006EB3A0DB358C01CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A4F89 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 49c121f82a9f928997dc8aa41a4b330018b9c5796d91eb15002b6176eeb4cf44
                              • Instruction ID: 7b7ab69ed0edbe58bae589948924db502084a559eb25bd0d0090506ac2a8bd1d
                              • Opcode Fuzzy Hash: 49c121f82a9f928997dc8aa41a4b330018b9c5796d91eb15002b6176eeb4cf44
                              • Instruction Fuzzy Hash: F1211C34601604CFCB54DFA9E958AAEBBF5FF89204F1044A9E406EB3A4DB759D01CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0169D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245080521.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_169d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3133582eb52a45096093ab995e272b6bb8a3c2c80cd1c7cd9d316f792dd580f8
                              • Instruction ID: cf948148d0bc5d3c3fbf77094b0b8a0c76cc8dfe0bddc0c6adf47685ab86e07b
                              • Opcode Fuzzy Hash: 3133582eb52a45096093ab995e272b6bb8a3c2c80cd1c7cd9d316f792dd580f8
                              • Instruction Fuzzy Hash: 80210071604200DFDF15DFA8D984B26BF69FB88354F20C579D90A0B396C33AD407CA61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A1383 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9565a943705f49821b38df09b895b68a2c5905043e0dd890a7c01203bdec057
                              • Instruction ID: 36cf0300489df1c665b1be1dcdebdc368aeb528a9b8f63d6998ad83f9ef18558
                              • Opcode Fuzzy Hash: b9565a943705f49821b38df09b895b68a2c5905043e0dd890a7c01203bdec057
                              • Instruction Fuzzy Hash: A7212C306026004BEB7CDAACF99976D7AADEB46365F540479F406CB790CA39CC41C743
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A9A28 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 77c66a01a02a8b7f25540d35f85c5b3cdc034babb4e44d618f522a22d90e0ba0
                              • Instruction ID: c7831c83515631729d7ff908a5b7759da6769b2c37613b79f4c018c56242a72e
                              • Opcode Fuzzy Hash: 77c66a01a02a8b7f25540d35f85c5b3cdc034babb4e44d618f522a22d90e0ba0
                              • Instruction Fuzzy Hash: 1F219F31B005198FDB54DBADD954BAE7BFABF88710F14806AE505EB3A4DBB1DC008B90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A9168 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 686d99a0eb6fd5fb8603eee8e307be684c9a767a7373b0f13669d7653f9512ad
                              • Instruction ID: bb446402d960802207f3bcb49547ed6ce89883e68cf840fbe1ad6c355a76fbae
                              • Opcode Fuzzy Hash: 686d99a0eb6fd5fb8603eee8e307be684c9a767a7373b0f13669d7653f9512ad
                              • Instruction Fuzzy Hash: 9E218030F016099BCB19CFA9D8549DEF7B6AF89300F24855AE815BB340DB70A941CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A1888 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4178717e51410007033e16991a1d773f3e7af299df141e5920975e4e32826f0
                              • Instruction ID: 85d1b6ff1998fa0414c2b56b59ff87e2d6d45e31ff463ec6c81b17b32ba47c09
                              • Opcode Fuzzy Hash: f4178717e51410007033e16991a1d773f3e7af299df141e5920975e4e32826f0
                              • Instruction Fuzzy Hash: E0216D30B06615CFDB68EBACE5556AE77F6AF89200F2404A8D106EB390DB358D41CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A16B0 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d0d56ee248d78f9e6e89f3fe13975dee593fe52579212c973e8b1d2136b58919
                              • Instruction ID: 168b64ed0e53bf58d0b4a53c3996a5cfaaaaf420e2698f478e16948589e9bf2f
                              • Opcode Fuzzy Hash: d0d56ee248d78f9e6e89f3fe13975dee593fe52579212c973e8b1d2136b58919
                              • Instruction Fuzzy Hash: 1D2181343006014FDB69DB6CF888B5E37AEEB49385F147661E40AC7255DB38DC45CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A4F98 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 88001452f078f54c313c530b6fffcf4b574da8ce504dedc793380cc2e9913f5f
                              • Instruction ID: 7146528655e17aa71cdf1e4c58615bbc80827ad77083e3175ba805d1559d7faf
                              • Opcode Fuzzy Hash: 88001452f078f54c313c530b6fffcf4b574da8ce504dedc793380cc2e9913f5f
                              • Instruction Fuzzy Hash: DE212C34701604CFDB54DB79E958AAEB7F5FB49204F1004A8E406EB3A4DB759D01CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A0838 Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc66e1a018736348f7dab3ba05483749f2e73ac9b5d05da583073a44744cc13e
                              • Instruction ID: 2ff9139c91cde91db62652caeb007c2e9cfcbe6a55e23d574e9656dbbea6c040
                              • Opcode Fuzzy Hash: bc66e1a018736348f7dab3ba05483749f2e73ac9b5d05da583073a44744cc13e
                              • Instruction Fuzzy Hash: ED112630A027084BEFA4DAFCF84432E7698EB46250F1849BAD442CF251D625CC418BC5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A0848 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6276b9d82a4441494ff564337079a600c846a1a794b667b51dbf743fb548d179
                              • Instruction ID: 1bec8afe7d936d3cbaaf6cb340dd3a50b34c600e135c26eab44101bb04276448
                              • Opcode Fuzzy Hash: 6276b9d82a4441494ff564337079a600c846a1a794b667b51dbf743fb548d179
                              • Instruction Fuzzy Hash: 8C11C130B0270C4BEFA4DABCF80472E72D9EB45294F1449B9D046CF290DA29CC858BD8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0169D006 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245080521.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_169d000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c243d87846a209092497f1b85f6d88016745191cb4d1e658ab64446f17b9557a
                              • Instruction ID: cf285cfb3fcb6c70a4068f0e987ebdf55d2d598ffbc21c445d2c1afe8787f2dc
                              • Opcode Fuzzy Hash: c243d87846a209092497f1b85f6d88016745191cb4d1e658ab64446f17b9557a
                              • Instruction Fuzzy Hash: 7F219F755083809FDB02CF64D994B11BFB5FB46314F24C5EAD8498F2A7C33A980ACB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A17C0 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6fec6457e4909df970dc220252852997b2c3a58708bddea5651bbc6137006f41
                              • Instruction ID: 1429d2c27542969e244cb7d5d03ab785093518783f94daefb5d4a44de11b301c
                              • Opcode Fuzzy Hash: 6fec6457e4909df970dc220252852997b2c3a58708bddea5651bbc6137006f41
                              • Instruction Fuzzy Hash: 4711E976F007119FDB54DFBDA84875E7BFAEB48620F144565E815D3380EB34C9018B96
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A1488 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1bf23ec500a55d1d49a574e672883137cc6eea95c389481ff639398e0a7045a3
                              • Instruction ID: e68ca9b1a7a4112aa7b0bb96f479b1fb64079973c3bb59c503cc8e40dc80cbd3
                              • Opcode Fuzzy Hash: 1bf23ec500a55d1d49a574e672883137cc6eea95c389481ff639398e0a7045a3
                              • Instruction Fuzzy Hash: 83117075A026159FCB69EFFCA4902AD7AF5EB48260F1404B9D806EB341E635C9418BD1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A1498 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f73416ea9d30a429bc558901fb2098abec5e94b3951302e36b1f04c7087f19e
                              • Instruction ID: 630c4df0ba45e462c182e5179ab77607b18c4c6a13f580279620d981f99cb7f2
                              • Opcode Fuzzy Hash: 0f73416ea9d30a429bc558901fb2098abec5e94b3951302e36b1f04c7087f19e
                              • Instruction Fuzzy Hash: AC012135A027149FCB65EFFCA45029E77E5EB49250F150479D805EB300E735D9418B95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A9890 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cbcd49c390d9e485f36edd7c6c3aefcb908ce300e211ced8cb1a30a6b9595115
                              • Instruction ID: aa32bf474d95a1dd5605e6daecc5399cebaca7f055800e127496491ed3bd1a33
                              • Opcode Fuzzy Hash: cbcd49c390d9e485f36edd7c6c3aefcb908ce300e211ced8cb1a30a6b9595115
                              • Instruction Fuzzy Hash: 9301B530B001098FCB04EF99E994A8ABBAAFF80710F54C274C80C5F299DB74E946C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A80F8 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f974ea40644646b9d45cc4d557eca127b811d4a595810db385ceaeb4f3559916
                              • Instruction ID: 958b3dd94720d8f3fc6d3874865ed9d355e2ef320c0aa79c4fd8e7083dff82eb
                              • Opcode Fuzzy Hash: f974ea40644646b9d45cc4d557eca127b811d4a595810db385ceaeb4f3559916
                              • Instruction Fuzzy Hash: AD018434600249DFCB09EFB8F9849DC7BB9EF45244F1056B8C4149B265DA355E0ADB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A7098 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f5d41b1576c2078ef455a36712943d8bc26b7345a1cb4828ae65d893b7f05ec8
                              • Instruction ID: 3a8cb3e2fa30cd6ad1ab471889a1756152d6a4a2ee070b9429da34a81cc1eae5
                              • Opcode Fuzzy Hash: f5d41b1576c2078ef455a36712943d8bc26b7345a1cb4828ae65d893b7f05ec8
                              • Instruction Fuzzy Hash: E5F0C435B00118CFD714EBA4D598B6DB7B6EF88615F1480A8E50A9B3A0CF35AD42DB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A8108 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b673e1996d31aff2660dc20784854a15c73e5c02d8f01e02189abc1698aa0883
                              • Instruction ID: 8693a41e8524a145c52e7f23b3ef4b779aa367fb5028b35811cb38bd1a214dc7
                              • Opcode Fuzzy Hash: b673e1996d31aff2660dc20784854a15c73e5c02d8f01e02189abc1698aa0883
                              • Instruction Fuzzy Hash: BDF03130A00209DFCB05EFB8F99499D7BBAEF44344F5056B8C4049B254DB39AE0ADB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 030A6C14 Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.3245274373.00000000030A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_30a0000_MSBuild.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a5c84a876baccbe6d06550c11bddef624980fe578e409af2b2b55962569720c
                              • Instruction ID: ef345050cea2d39363bfcbd7ad5469377de74a0803d1558772b71159dab5acb5
                              • Opcode Fuzzy Hash: 1a5c84a876baccbe6d06550c11bddef624980fe578e409af2b2b55962569720c
                              • Instruction Fuzzy Hash: 73C0123A3180508F8602A76CE0644B937B1DBCA12A32800EAE149CF322CE2298028B40
                              Uniqueness

                              Uniqueness Score: -1.00%